Solved: Authentication for switches

cisco.anubhav · ‎12-19-2012

Hi,

I have ben using following AAA commands and getting my routersauthenticated from TACS server SE 4.2.Now i need to get cisco 3560 and 6513 switches authenticated by the same ACS server,kindly suggest if any changes may be required in the commands.

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication login NO_AUTHEN none

aaa authorization config-commands

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization exec NO_AUTHOR none

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 1 NO_AUTHOR none

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa authorization commands 15 NO_AUTHOR none

aaa authorization network serial none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default stop-only group tacacs+

!

aaa session-id common

Thanks,

kcnajaf · ‎12-19-2012

Hi Anubhav,

Configuration looks fine.

You will have to define tacacs server as below

tacacs-server host x.x.x.x (where x.x.x.x is the radius authetication server)

tacacs-server key (shared key used between ACS and device)

You may have aslo have to use below command if you have multiple L3 interface on your device to specify which interface the tacacs traffic would be using.

ip tacacs source-interface x.x.x.x (this should the interface which you have on your acs as a aaa client)

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

View solution in original post

kcnajaf · ‎12-19-2012