Solved: Configure a Router AAA TACCAS

ricardo-morales · ‎11-26-2006

i install de Server ACS 4.0 but i cant get it works with a route ror swich can someone post a confiuracion for me to the server and router to works good.

a.kiprawih · ‎11-26-2006

The missing part was "aaa authentication login default group tacacs+ local", enable instead of login (mixed-up...)

For certain devices (aaa authentication login TELNET group tacacs+ local), while others default (aaa authentication login default group tacacs+ local).

View solution in original post

a.kiprawih · ‎11-26-2006

Router/Switch Config

aaa new-model

aaa authentication enable default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization network default group tacacs+ if-authenticated local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

!

tacacs-server host 10.1.2.3 key cisco123

tacacs-server host 10.1.2.3

tacacs-server timeout 20

tacacs-server directed-request

tacacs-server key cisco123

Optional:

Use Loopback0 as tacacs source interface as Loopback intf never goes down

!

interface loopback0

ip address 10.1.1.254 255.255.255.255

Note:

The above 'default' keyword under aaa will auto-apply aaa authentication for all access sessions into the router/switch.

ACS Server Config:

Go to ACS Menu (via web browser)

1. Create Network Device Group

- You can use Network Device Group (NDG) for easy device/group identification, or just use default group. Click on default or create a group.

- The 'Add AAA Client' page will appear after creating the group or click on default group.

2. Add router/switch as AAA Client

a. Click 'Network Configuration - add AAA Client

b. Enter :

AAA Client Hostname:

IP Address: 10.1.1.254

Key: cisco123 ---> use any preferred key

Network Device Group:

Authenticate Using: TACACS+ (Cisco IOS)

3. Identify/assign ACS Server as tacacs+ authentication server

a. Click on the NDG if you have any, or under 'AAA Server', click Add Entry.

b. Key in server hostname, IP Address, secret key identical with key used in router/switch (cisco123)

To save ACS config, click 'submit+restart' button.

Refer to the attached doc and url below for more details.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7a7.html

HTH

AK

a.kiprawih · ‎11-26-2006

Config to specify Loopback0 as source intf for tacacs+ authentication:

ip tacacs source-interface Loopback0

Richard Burts · ‎11-26-2006

AK

I believe that you have provided mostly good advice. I would question this line:

aaa authentication enable default group tacacs+ local

I question using local as the fall back method for authenticating the enable password. I believe it is better to configure it this way:

aaa authentication enable default group tacacs+ enable

Also I believe that the configuration needs a line configuring login authentication. It might look like this:

aaa authentication login default group tacacs+ line

I would emphasize your advice about using the loopback interface as the source address for tatacs. This is especially important when the router (or switch) has more than one interface that is a potential path to the tacacs server. The tacacs server can recognize only a single address from the router (or switch). If you do not specify the source address then the router (or switch) will default to using the address of the outbound interface. If the primary interface happens to be down and the router is sending out the other interface then tacacs will not be able to authenticate or authorize. Specifing the source address as the loopback fixes this and tacacs will be able to process no matter which interface is sending the traffic.

HTH

Rick

HTH

Rick

a.kiprawih · ‎11-26-2006

Thanks for the feedback.

The config options depends on the final decision by the owner, as he/she can referred details on the config/implementation in the URL link and attached doc. Here, we normally share/suggest config that some might be applied, and some might use it as guidelines or references.

Anyway, the reason why local, instead of enable was to have another layer of control when ACS not available to authenticate, i,e. Operator might not need to go far compared to other admin with higher privilege, plus keeping enable pwd to certain (authorized) folks only.

But having said that, it is not a compulsory to use strictly use local or enable as last resort.

Without ACS, some might used local database in router/switch to keep individual accounts with different privileges when logging in. With ACS, some will probably get rid all, or maintain some of it. It's all depends on their requirements.

BTW, the tacacs source intf command was in the next post. I missed the line.

My 2cent opinion.

Cheers!

AK

a.kiprawih · ‎11-26-2006

The missing part was "aaa authentication login default group tacacs+ local", enable instead of login (mixed-up...)

For certain devices (aaa authentication login TELNET group tacacs+ local), while others default (aaa authentication login default group tacacs+ local).