06-15-2021 05:50 AM
aaa new-model
aaa session-id common
aaa group server tacacs+ tacacs_123
server name ise-tacacs_01
server name ise-tacacs_02
!
tacacs server ise-tacacs_01
address ipv4 10.1.1.101
key <tacacs key>
timeout 5
!
tacacs server ise-tacacs_02
address ipv4 10.1.1.102
key <tacacs key>
timeout 5
!
tacacs-server timeout 5
tacacs-server directed-request
ip tacacs source-interface Loopback0
!
aaa authentication login vty group tacacs_123 local
aaa authentication login conaux local
aaa authentication enable default group tacacs_123 enable
aaa authorization config-commands
aaa authorization commands 1 default group tacacs_123 local
aaa authorization commands 1 conaux local
aaa authorization commands 15 default group tacacs_123 local
aaa authorization commands 15 conaux local
aaa accounting commands 15 default start-stop group tacacs_123
aaa accounting connection default start-stop group tacacs_123
06-15-2021 05:58 AM - edited 06-15-2021 06:14 AM
Yes, it looks ok, check out this guide and compare to cisco's recommended switch configuration for TACACS+.
If you are connect to a vty session, apply the commands and the rules are not setup on the TACACS+ server you could lock yourself out. I normally apply the config to all but the vty line you are connected to, then connect another session which should prompt for tacacs+ credentials. If that fails you still have access on the original session.
06-16-2021 07:24 AM
hi,
that's the traditional/legacy way of configuring TACACS.
are you asking AAA for a router, switch or ASA?
the new AAA config structure changed in a router/switch starting IOS-XE 16.12.2 wherein TACACS server, key, source interface and VRF are all configured under AAA group server.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide