Hi Carlos

TACACS + Outbound Password for what purpose

Thanks

Hello,

TACACS+ Outbound Password

TACACS+ Outbound Password enables a AAA client to authenticate itself to another AAA client or end-user client via outbound authentication. The outbound authentication can be PAP, CHAP, MS-CHAP, or ARAP and results in the ACS password being given out. By default, the user's ASCII/PAP or CHAP/MS-CHAP/ARAP password is used. To prevent compromising inbound passwords, you can configure a separate SENDAUTH password. Use this feature only if you are familiar with TACACS+ SendAuth/OutBound password.

For your specific scenario you can leave it blank. I just forgot to delete the default "dots" that the ACS adds to the user account.

Regards.

Thanks carlos for the reply

can y post me the recommended configuration on routers and switch for AAA ACS Tacacs + mode in term of authentication authorization and accounting

thanks

THello,

aaa new-model
aaa authentication login default group tacacs+local
aaa authorization exec default group tacacs+ local
aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host 10.1.1.1
tacacs-server key cisco123

The appropriate configuration order should be:

1) Define the server:

tacacs-server host 10.1.1.1
tacacs-server key cisco123

2) Perform the test authentication command to confirm connectivity:

test aaa group tacacs legacy

3) Define the login authentication command:

aaa authentication login default group tacacs+local

4) Configure the TACACS+ server with the appropriate Enable and Shell (EXEC) Privilege level 15 and configure IOS for authorization:

aaa authorization exec default group tacacs+ local

5) Configure the TACACS+ server with the allowed or restricted command sets based on user/group and then configure Command Authorization:

aaa authorization config-commands
aaa authorization commands 0 default  group tacacs+ local
aaa authorization commands 1 default  group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

6) Configure TACACS+ accounting:

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

NOTE: AAA configurations can end up on lockouts. The above should be the appropriate order to configure the AAA command assuming that the server configuration is the appropriate one to pass Authentication and Authorization checks.

If this was helpful please rate.

Regards.

Thanks Carlos

do you need to Apply the above confige to VTY and Console line?

The answer is NO because if you see the above commands you would notice "default" keyword that means the commands is auto applied on all the lines vty, console, aux.

If you need to exclude any line or console/ aux you may need to create method list and then apply it on the respective lines.

For instance

aaa authentication login NOACS none

line console 0

login authentication NOACS

This way you can exempt the console session from the authentication process.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html#wp1088074

Regards,

Jatin

Do rate helpful posts-

Hi Jatin

if i defined NOACS on the console,so how i can track other admin connected to the device via console,since i have 4 admins

That was just an example to clear the difference between default method and method list.

Regards,

Jatin

Could y please provide sample config in order to track the local admin when they connect to device using console line