11-26-2006 05:23 AM - edited 03-10-2019 02:51 PM
i install de Server ACS 4.0 but i cant get it works with a route ror swich can someone post a confiuracion for me to the server and router to works good.
Solved! Go to Solution.
11-26-2006 10:04 PM
The missing part was "aaa authentication login default group tacacs+ local", enable instead of login (mixed-up...)
For certain devices (aaa authentication login TELNET group tacacs+ local), while others default (aaa authentication login default group tacacs+ local).
11-26-2006 04:44 PM
Router/Switch Config
aaa new-model
aaa authentication enable default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization network default group tacacs+ if-authenticated local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
!
tacacs-server host 10.1.2.3 key cisco123
tacacs-server host 10.1.2.3
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key cisco123
Optional:
Use Loopback0 as tacacs source interface as Loopback intf never goes down
!
interface loopback0
ip address 10.1.1.254 255.255.255.255
Note:
The above 'default' keyword under aaa will auto-apply aaa authentication for all access sessions into the router/switch.
ACS Server Config:
Go to ACS Menu (via web browser)
1. Create Network Device Group
- You can use Network Device Group (NDG) for easy device/group identification, or just use default group. Click on default or create a group.
- The 'Add AAA Client' page will appear after creating the group or click on default group.
2. Add router/switch as AAA Client
a. Click 'Network Configuration - add AAA Client
b. Enter :
AAA Client Hostname:
IP Address: 10.1.1.254
Key: cisco123 ---> use any preferred key
Network Device Group:
Authenticate Using: TACACS+ (Cisco IOS)
3. Identify/assign ACS Server as tacacs+ authentication server
a. Click on the NDG if you have any, or under 'AAA Server', click Add Entry.
b. Key in server hostname, IP Address, secret key identical with key used in router/switch (cisco123)
To save ACS config, click 'submit+restart' button.
Refer to the attached doc and url below for more details.
HTH
AK
11-26-2006 04:47 PM
Config to specify Loopback0 as source intf for tacacs+ authentication:
ip tacacs source-interface Loopback0
11-26-2006 07:23 PM
AK
I believe that you have provided mostly good advice. I would question this line:
aaa authentication enable default group tacacs+ local
I question using local as the fall back method for authenticating the enable password. I believe it is better to configure it this way:
aaa authentication enable default group tacacs+ enable
Also I believe that the configuration needs a line configuring login authentication. It might look like this:
aaa authentication login default group tacacs+ line
I would emphasize your advice about using the loopback interface as the source address for tatacs. This is especially important when the router (or switch) has more than one interface that is a potential path to the tacacs server. The tacacs server can recognize only a single address from the router (or switch). If you do not specify the source address then the router (or switch) will default to using the address of the outbound interface. If the primary interface happens to be down and the router is sending out the other interface then tacacs will not be able to authenticate or authorize. Specifing the source address as the loopback fixes this and tacacs will be able to process no matter which interface is sending the traffic.
HTH
Rick
11-26-2006 07:53 PM
Thanks for the feedback.
The config options depends on the final decision by the owner, as he/she can referred details on the config/implementation in the URL link and attached doc. Here, we normally share/suggest config that some might be applied, and some might use it as guidelines or references.
Anyway, the reason why local, instead of enable was to have another layer of control when ACS not available to authenticate, i,e. Operator might not need to go far compared to other admin with higher privilege, plus keeping enable pwd to certain (authorized) folks only.
But having said that, it is not a compulsory to use strictly use local or enable as last resort.
Without ACS, some might used local database in router/switch to keep individual accounts with different privileges when logging in. With ACS, some will probably get rid all, or maintain some of it. It's all depends on their requirements.
BTW, the tacacs source intf command was in the next post. I missed the line.
My 2cent opinion.
Cheers!
AK
11-26-2006 10:04 PM
The missing part was "aaa authentication login default group tacacs+ local", enable instead of login (mixed-up...)
For certain devices (aaa authentication login TELNET group tacacs+ local), while others default (aaa authentication login default group tacacs+ local).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide