cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2256
Views
30
Helpful
10
Replies
Beginner

3850 FUJI 16.9 code TACACS+ configuration

Does anyone have any advice of the "correct" configuration of TACACS+ on the 3850 series.

I have recently upgraded a switch to 16.9.3 (FUJI) code.

On older switches I would use the following sample to configure TACACS+

aaa new-model

tacacs server ServerA
address ipv4 10.10.10.10
key abcd1234

I am now presented with (after the last command "key abcd1234")

WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type

I have been searching for a "new" syntax for hte command but have been unseccesful.

Cisco documentation from the "Security Configuration Guide, Cisco IOS XE Fuji 16.9.x"

Chapter: Configuring TACACS+
How to Configure Switch Access with TACACS+"
Identifying the TACACS+ Server Host and Setting the Authentication Key

This sounded exactly what I was looking for. But the summary and detailed steps do not include anything for setting the Authentication Key

"SUMMARY STEPS"
1. enable
2. configure terminal
3. tacacs server server-name
4. address {ipv4 | ipv6 } ip address
5. exit
6. aaa new-model
7. aaa group server tacacs+ group-name
8. server ip-address
9. end
10. show running-config
11. copy running-config startup-config

I appreciate that the old syntac is still accepted, but would like to get the new syntax if possible.

 

Thanks

10 REPLIES 10
VIP Advisor

Re: 3850 FUJI 16.9 code TACACS+ configuration

Hi there,

According to the 16.9 documentation the syntax is:

!
aaa new-model
!
tacacs-server host <ip_address>
tacacs-server key <key>
!

...this will set a global key to be used by all defined TACACS servers.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-16-9/sec-usr-tacacs-xe-16-9-book/sec-cfg-tacacs.html

 

cheers,

Seb.

 

VIP Mentor

Re: 3850 FUJI 16.9 code TACACS+ configuration

hi working one off mine , fill in the xxxs , ip address,  key and source interface

when tacacs is down this will let you in by local username too

 

aaa group server tacacs+ xtacacs
 server-private x.x.x.x key xxxxxxxxxxxxxxxxx
 server-private x.x.x.x key xxxxxxxxxxxxxxxxx
 ip tacacs source-interface xxxxxxxxxx
!
aaa authentication login default group xtacacs local enable
aaa authentication enable default group xtacacs enable
aaa authorization exec default group xtacacs local
aaa accounting exec default start-stop group xtacacs
aaa accounting commands 0 default start-stop group xtacacs
aaa accounting commands 1 default start-stop group xtacacs
aaa accounting commands 15 default start-stop group xtacacs
aaa accounting network default start-stop group xtacacs
aaa accounting connection default start-stop group xtacacs
aaa accounting system default start-stop group xtacacs
!
!
!
aaa session-id common
no ip source-route
Beginner

Re: 3850 FUJI 16.9 code TACACS+ configuration

Thanks Mark

 

TACACS works OK, my question was more related to rhe correct syntax for adding the authentication key as part of the server definition, using the newer IOS. Just out of interest did you get the same message when entering the key as pary of the server-private line? On the model I have running 16.9.3 I do.

VIP Mentor

Re: 3850 FUJI 16.9 code TACACS+ configuration

Hi
no because im using it under the AAA which is the newer method , server private ....... key
Beginner

Re: 3850 FUJI 16.9 code TACACS+ configuration

Thanks again Mark

With access to the equipment, I completed the suggested:

 

ENTER_HOSTNAME_HERE#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ENTER_HOSTNAME_HERE(config)#do sh run | inc aaa
aaa new-model
aaa session-id common
ENTER_HOSTNAME_HERE(config)#aaa group server tacacs+ xtacacs
ENTER_HOSTNAME_HERE(config-sg-tacacs+)#server-pri
ENTER_HOSTNAME_HERE(config-sg-tacacs+)#server-private 10.10.10.10 key cisco
WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
ENTER_HOSTNAME_HERE(config-sg-tacacs+)#
*Apr 5 06:10:24.799 AEST: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type
*Apr 5 06:10:24.799 AEST: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been added to the configuration using a type 0 password. However, type 0 passwords will soon be deprecated. Migrate to a supported password type

 

Doesnt surprise me that there are differences between the devices though.

 

Rob

Beginner

Re: 3850 FUJI 16.9 code TACACS+ configuration

Thanks Seb

I agree this is what the documentation says, but i still get the message saying that the password 0 method is soon to be deprecated. Im trying to find the new syntax.

for example the username command has changed from

username fred privelge 15 password cisco

to

username fred privelege 15 authentication-key scrypt secret cisco

this sets the passwords to type 9, not the 7 or 5 you normally see.

Beginner

Re: 3850 FUJI 16.9 code TACACS+ configuration

I am also having this exact problem with a Cisco ASR920 router running Fuji-16.09.03 and I find myself here at this forum.

 

Here is a snippet of our config:

 

aaa group server tacacs+ NETOPS
 server-private <server-ip> key 7 <tacacs-key>
 ip tacacs source-interface GigabitEthernet0

 

The router is complaining as follows:

WARNING: Command has been added to the configuration using a type 7 password. However, type 7 passwords will soon be deprecated. Migrate to a supported password type

 

The issue is that there is no configuration option to use a stronger algorithm such as scrypt (like there is for the fallback username and enable passwords).

 

It is apparent that someone at Cisco has gone as far as implementing the warning message for the TACACS key, but no means to use a better encryption algorithm for the key storage.  I would like to know:

 

1) If indeed there is another way to configure this now with a better algorithm such as scrypt?

2) If not, when does Cisco plan to provide it?

 

 

Beginner

Re: 3850 FUJI 16.9 code TACACS+ configuration

stewart-ian, I second your questions.  I'm struggling with the same issue on a new 4331 router.  If there is a new way to enter the syntax, that would be my preferred path.  However, I'm not finding any way to do so.

Hall of Fame Cisco Employee

Re: 3850 FUJI 16.9 code TACACS+ configuration

Hi everyone,

The warning message displayed when entering a plaintext password for TACACS+ (and RADIUS, and username ... password command) is truly confusing - it seems to suggest that the CLI won't accept plaintext passwords in the future, or that the command syntax will be changing. None of this is true, fortunately :)

What it says is this: At some point in the future, IOS-XE won't store plaintext passwords in running-config or startup-config anymore. It will only store hashed passwords (for authentication purposes when the knowledge of the password plaintext isn't needed anymore) and securely encrypted passwords (for those passwords whose original plaintext still needs to be recoverable). This requires that the password is either already hashed/encrypted at the time you enter it in CLI, or that your switch is configured with strong password encryption so that after you enter the password in plaintext, IOS-XE is immediately able to encrypt it and store in the configuration in the encrypted form. However, IOS-XE will still accept plaintext passwords entered in a CLI, it just won't store them as plaintext in the configuration.

Secure encrypted passwords, also known as Type-6 passwords, can be enabled on the device using the following commands:

configure terminal
key config-key password-encryption
password encryption aes
end

The key config-key password-encryption command will prompt you for a master key that will subsequently be used to encrypt all passwords in the configuration where this encryption is supported, including TACACS+ keys. The encryption of these passwords will be the enabled using the password encryption aes command - without this command, the master key may be configured but will not be used to protect the passwords in the configuration.

This is described in a couple of documents out there, including https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46420-pre-sh-keys-ios-rtr-cfg.html

If you enable the strong password protection using the two commands above, you will not receive the warning after you enter a new TACACS+ key anymore.

Give it a test and please let us know if it worked for you!

Best regards,
Peter

Highlighted
Beginner

Re: 3850 FUJI 16.9 code TACACS+ configuration

Cheers Peter this answers my question but even better resolves the issue with password-7 encrypted RADIUS secrets!

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards