topic Re: Reg: Tacacs configuration in Network Access Control

Reg: Tacacs configuration

cisco.anubhav — Mon, 11 Mar 2019 00:11:07 GMT

Hi All,

I m trying to set up AAA authentication of around 300 routers through Cisco TACACS,i installed acs4.2 on a windows 2003 server and put following AAA commands in the router,tacacs server host and key mentioned on trialrouter

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication login NO_AUTHEN none

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization exec NO_AUTHOR none

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 1 NO_AUTHOR none

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization commands 15 NO_AUTHOR none

aaa authorization network serial none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

aaa session-id common

then i created a user and mentioned a secret key on the acs server,i added this router as AAA client , the router stopped responding to previous login name and password but was not responding to username defined in the acs,where am i makin a mistake?Kindly help.

Thanks.

Re: Reg: Tacacs configuration

Jatin Katyal — Fri, 11 Jun 2010 11:32:47 GMT

Anu,

Are you getting tacacs user-name \\ password prompt ?

if you are getting user-name \\ password prompt and its not taking tacacs credentials, could you please login with local user-name \\ password and run the debugs.

debug tacacs

debug aaa authentication

term mon

After this try to login again with tacacs user-name \\ password and send me the output.

Do attach the failed attemopts from the ACS >> reports and activity.

HTH
JK

Do rate helpful posts-

Re: Reg: Tacacs configuration

Jagdeep Gambhir — Fri, 11 Jun 2010 15:41:20 GMT

Hi Anu,

On Layer 3 device we should have tacacs source interface defined since there are more then one interface. To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration or server-group configuration mode.

The following example makes TACACS+ use the IP address of subinterface "s2" for all outgoing TACACS+ packets:

ip tacacs source-interface s2

Usage Guidelines

Use this command to set the IP address of a subinterface for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.

This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address.The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this situation, add an IP address to the subinterface or bring the interface to the up state.

If there is still any issue please share the debugs.

Regards,

~JG

Do rate helpful posts

Re: Reg: Tacacs configuration

cisco.anubhav — Sat, 12 Jun 2010 07:51:21 GMT

Dear All,

I logged into the AAA client using user configured in acs and password,but i am not able to run any command as it gives error
Command authorization failed.
^
% Invalid input detected at '^' marker.

the AAA command are given above,Kindly suggest what should i do to run the commands.

Re: Reg: Tacacs configuration

Jatin Katyal — Sat, 12 Jun 2010 09:42:09 GMT

Anu,

Create a full access command set by looking the link

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario1

After that associate the command set with the group where user belongs to.

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#asso1

HTH
JK

Do rate helpful posts-

Re: Reg: Tacacs configuration

cisco.anubhav — Sat, 12 Jun 2010 11:02:13 GMT

Hi,

I could get full level 15 access to my test router through TACACS.I have to get 900 routers authenticated using TACACS,believe it supports the no..I wish to create three level of users just like suggested in the link,should i create three users with different permissions and use them on clients as i wish to keep all the clients in the default group.

Kindy suggest if this is fine or any other approch should be there.

Re: Reg: Tacacs configuration

Jatin Katyal — Sat, 12 Jun 2010 11:20:32 GMT

For different permission level, check this:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo

HTH

Do rate helpful posts-

Re: Reg: Tacacs configuration

cisco.anubhav — Tue, 15 Jun 2010 13:16:51 GMT

Hi,

I prepared two command sets in ACS and got few devices authorized butat that very moment console login is also autheticated,which i dont plan to do.I wish that console access remains non authenticated.At the moment when trying to login,Authentication fails when i tried to login using local user login and password.

Kindly help.

Thanks.

Re: Reg: Tacacs configuration

Jagdeep Gambhir — Tue, 15 Jun 2010 14:56:34 GMT

Hi Anu,

For that we need to set up Method list so that console is authenticated locally. Here are the commands we need

Router(config)# username [username] password [password]
tacacs-server host [ip]
tacacs-server key [key]

aaa new-model
aaa authentication login default group tacacs+ local

aaa authentication login con local

        aaa authorization exec default group tacacs+ if-authenticated
        aaa authorization commands 1 default group tacacs+ if-authenticated
        aaa authorization commands 15 default group tacacs+ if-authenticated
        aaa authorization config-commands

line con 0

Router(config-line)# login authentication con-----> Where " con" is the name of method list we created above.

Regards,

~JG

Do rate helpful post