Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1159
Views
5
Helpful
0
Comments

AAA/TACACS commands on CAT IOS device

minkumar
Level 1
Level 1

‎07-31-2013 06:06 PM - edited ‎02-21-2020 10:00 PM

 

Introduction

This document shows commands for AAA/TACACS on CAT IOS Device.

Login authentication to 'tacacs' and then 'local' if tacacs is not available

set authentication login tacacs enable console primary
set authentication login tacacs enable telnet primary
set authentication login local enable console
set authentication login local enable telnet

More Information

Issue the set authentication login local enable command in order to make sure there is a back door into the switch if the server is down.

Issue the set authentication login tacacs enable command in order to enable TACACS+ authentication.

Issue the set tacacs server #.#.#.# command in order to define the server.

Issue the set tacacs key your_key command in order to define the server key, which is optional with TACACS+, as it causes switch-to-server data to be encrypted. If used, it must agree with the server.

Note: Cisco Catalyst OS software does not accept the question mark (?) to be part of any keys or passwords. The question mark is explicitly used for help on the command syntax.

Enable authentication to 'tacacs' and then 'local' if tacacs is not available

set authentication enable tacacs enable console primary
set authentication enable tacacs enable telnet primary
set authentication enable local enable console
set authentication enable local enable telnet

More Information

Issue the set authentication enable local enable command in order to make sure that there is a back door in if the server is down.

Issue the set authentication enable tacacs enable command in order to tell the switch to send enable requests to the server.

Defining TACACS Server

set tacacs server <ip address>
set tacacs key <key>

Accounting

set accounting exec enable start-stop tacacs+
set accounting connect enable start-stop tacacs+
set accounting commands enable all stop-only tacacs+

More Information

In order to enable TACACS+ accounting for:

If you get the switch prompt, issue the set accounting exec enable start-stop tacacs+ command.

Users that Telnet out of the switch issue the set accounting connect enable start-stop tacacs+ command.

If you reboot the switch, issue the set accounting system enable start-stop tacacs+ command.

Users that perform commands, issue the set accounting commands enable all start-stop tacacs+ command.

Reminders to the server, for example, to update records once a minute in order to show that the user is still logged in, issue the set accounting update periodic 1 command.

Authorization

set authorization exec enable tacacs+ none telnet
set authorization enable enable tacacs+ none telnet
set authorization commands enable all tacacs+ none telnet

More Information

In this example, the switch is told to require authorization for an exec session with TACACS+. In the event that the TACACS+ server is down, authorization is none. This applies to both the console port and the Telnet session. Issue the set authorization exec enable tacacs+ none both command

In addition to the authentication request, this sends a separate authorization request to the TACACS+ server from the switch. If the user profile is configured for shell/exec on the TACACS+ server, that user is able to access the switch.

This prevents users without shell/exec service configured on the server, such as PPP users, from logging into the switch. You get a message that reads Exec mode authorization failed. In addition to permitting/denying exec mode for users, you can be forced into enable mode when you enter with the privilege level 15 assigned on the server. It must runcode in which Cisco bug ID CSCdr51314 (registered customers only) is fixed.

Labels:
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents