topic Re: Configuring Cisco 1710 for AAA w/ CSACS in Network Access Control

Configuring Cisco 1710 for AAA w/ CSACS

bwgraybwgray — Sun, 10 Mar 2019 21:02:27 GMT

Hi Everyone,

I am having a bit of a time here working through the Cisco press book trying to configure my 1710 router (IOS 12.2) to connect with a tacacs+ server.

The Server is CSACS v3.3 running on Win2k3. *I think I have that configured correctly.

I am trying the following commands from the Secur Cisco Press Book:

aaa new-model

aaa authentication ppp newlist tacacs+ local

tacacs-server host 20.0.0.2 key labkey

interface ethernet0

ppp authentication default <--- THIS IS THE LINE NOT ACCEPTED

for some reason as soon as I go into the interface mode, ppp is unrecognized. *I am assuming I don't understand something correctly here - or I can only put ppp authentication on Serial Lines?

Thanks Everyone,

BWG

Re: Configuring Cisco 1710 for AAA w/ CSACS

nchopra79 — Thu, 03 Mar 2005 07:35:49 GMT

Hi,

You've got two ways to accomplish the task:

First Configuration:

--------------------

aaa new-model

tacacs-server host 20.0.0.2 key labkey

aaa authentication login default group tacacs+ local

--------------------

The above configuration uses the Keyword "default" under the aaa authentication command line..

"Default" keyword automatically enables the TACACS+/ Radius authentication on every interface of the router, so need not to do any configuration on the Interfaces.

Second Configuration: (the method that ur trying to do)

----------------------

aaa new-model

tacacs-server host 20.0.0.2 key labkey

aaa authentication login newlist group tacacs+ local

-----------------------

Under this configuration, I've changed the keyword "default" with "newlist", this is known as "Method List".

Now, TACACS authentication needs to be enabled manually on every interface or on those interface on which u would like to.

the command which will be used to enable the method list on interfaces will be:

Router(config-if)#login authentication newlist

If you want to authenticate users telnetting into your router, then configure this command under the VTY 0 4 lines not under the Ethernet0 or if you want to authenticate dialin users then you need to configure this command under the Line.

If you are using any specific authentication protocol then you can configure "ppp authentication pap/chap/MSCHAPV2" under ethernet interface, but make sure the same protocol is being used by the ACS server also.

ALL THE BEST !!

Re: Configuring Cisco 1710 for AAA w/ CSACS

bwgraybwgray — Thu, 03 Mar 2005 17:17:53 GMT

Thanks nchopra,

I must say that I'm not too impressed just yet on the Cisco Press book that covers this; it runs through it pretty quickly.

With your explanation, I have a much clearer understanding of what I was setting up; not to mention it works just fine now. 🙂

Thanks Again,

BWG