Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1254
Views
0
Helpful
1
Replies

Test Plan for AAA (TACACS) IMPLEMENTATION

Alfredcfc
Level 1
Level 1

‎11-05-2019 04:04 AM - edited ‎02-21-2020 09:39 AM

 

 

 

TEST PLAN FOR TACACS+

  1. So we are implementing tacacs on all our firewalls in the next week or so I have some doubts so that I don’t lock myself out.
  2. I First thought most cases of users locking themselves out was due to the authorization part.
  3. So here was my testing plan

 

 

 

1.ADD THE SERVER GROUP to the firewall.

2.use the following command

   “test aaa-server authentication” àto check if the username and password is working properly

 3.next to test the authorization

   “test aaa-server authorization “ to test the following commands are allowed for my account

    1.enableà because I am going to use the aaa server group to authorize enable command too.

    2.wr

    3.reload

   4.exit

   5.end

 

  Etc.

 

I am to enter the following commands:

aaa authentication enable console MY_TACACS  LOCAL

aaa authentication http console MY_TACACS LOCAL

aaa authentication ssh console MY_TACACS LOCAL

aaa authorization command  MY_TACACS  LOCAL                   

 

Then after everything is fine  I am going to save the configurat

 

Please let me know if you find any flaws in the test method or if you have any other suggestion

0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-05-2019 04:39 AM

You haven't mentioned what AAA server you are using. Whatever it is I assume you will have access to it so that you are able to troubleshoot any issues from that side as needed. One trick, if it is a VM and you have access to the ESXi interface is that you can "disconnect" the TACACS server virtually and thus have the ASA fall back to local method (which we assume is already working).

If you have an approved outage window, one thing you can do when changing things like aaa remotely is to schedule a "reload in 10" (minutes) just before making the changes. That way if you get locked out halfway through, the device will reload before you have written the configuration.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card