cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


133
Views
0
Helpful
1
Replies
Beginner

Test Plan for AAA (TACACS) IMPLEMENTATION

 

 

 

TEST PLAN FOR TACACS+

  1. So we are implementing tacacs on all our firewalls in the next week or so I have some doubts so that I don’t lock myself out.
  2. I First thought most cases of users locking themselves out was due to the authorization part.
  3. So here was my testing plan

 

 

 

1.ADD THE SERVER GROUP to the firewall.

2.use the following command

   “test aaa-server authentication” àto check if the username and password is working properly

 3.next to test the authorization

   “test aaa-server authorization “ to test the following commands are allowed for my account

    1.enableà because I am going to use the aaa server group to authorize enable command too.

    2.wr

    3.reload

   4.exit

   5.end

 

  Etc.

 

I am to enter the following commands:

aaa authentication enable console MY_TACACS  LOCAL

aaa authentication http console MY_TACACS LOCAL

aaa authentication ssh console MY_TACACS LOCAL

aaa authorization command  MY_TACACS  LOCAL                   

 

Then after everything is fine  I am going to save the configurat

 

Please let me know if you find any flaws in the test method or if you have any other suggestion

Everyone's tags (2)
1 REPLY 1
Highlighted
Hall of Fame Guru

Re: Test Plan for AAA (TACACS) IMPLEMENTATION

You haven't mentioned what AAA server you are using. Whatever it is I assume you will have access to it so that you are able to troubleshoot any issues from that side as needed. One trick, if it is a VM and you have access to the ESXi interface is that you can "disconnect" the TACACS server virtually and thus have the ASA fall back to local method (which we assume is already working).

If you have an approved outage window, one thing you can do when changing things like aaa remotely is to schedule a "reload in 10" (minutes) just before making the changes. That way if you get locked out halfway through, the device will reload before you have written the configuration.