Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
951
Views
5
Helpful
2
Replies

TACACS configuration question

david
Level 1
Level 1

‎06-15-2021 05:50 AM

Is there anything wrong (or missing) with the sample TACACS config below? And does it matter what order the commands are entered? In config docs, I've seen so many variations of tacacs config that it's making my head spin so I'm trying to make sense of it and standardize. Thanks!

aaa new-model

aaa session-id common

aaa group server tacacs+ tacacs_123

server name ise-tacacs_01

server name ise-tacacs_02

!

tacacs server ise-tacacs_01

address ipv4 10.1.1.101

key <tacacs key>

timeout 5

!

tacacs server ise-tacacs_02

address ipv4 10.1.1.102

key <tacacs key>

timeout 5

!

tacacs-server timeout 5

tacacs-server directed-request

ip tacacs source-interface Loopback0

!

aaa authentication login vty group tacacs_123 local

aaa authentication login conaux local

aaa authentication enable default group tacacs_123 enable

aaa authorization config-commands

aaa authorization commands 1 default group tacacs_123 local

aaa authorization commands 1 conaux local

aaa authorization commands 15 default group tacacs_123 local

aaa authorization commands 15 conaux local

aaa accounting commands 15 default start-stop group tacacs_123

aaa accounting connection default start-stop group tacacs_123

0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎06-15-2021 05:58 AM - edited ‎06-15-2021 06:14 AM

@david 

Yes, it looks ok, check out this guide and compare to cisco's recommended switch configuration for TACACS+.

 

If you are connect to a vty session, apply the commands and the rules are not setup on the TACACS+ server you could lock yourself out. I normally apply the config to all but the vty line you are connected to, then connect another session which should prompt for tacacs+ credentials. If that fails you still have access on the original session.

johnlloyd_13
Level 9
Level 9

‎06-16-2021 07:24 AM

hi,

that's the traditional/legacy way of configuring TACACS.

are you asking AAA for a router, switch or ASA?

the new AAA config structure changed in a router/switch starting IOS-XE 16.12.2 wherein TACACS server, key, source interface and VRF are all configured under AAA group server.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card