Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2541
Views
10
Helpful
9
Replies

TACACS CONFIG HELP

Go to solution
balakrishnansenthil
Level 1
Level 1

‎02-13-2013 06:06 PM - edited ‎03-07-2019 11:42 AM

Hi Team,

We have CISCO ASR 1002 router on our DC, I want to enable TACACS on this router.

Please can you confirm the below config or need anything?

and also i need to know what is the usage of key, we need a separate key for every device? or.

Logs;( This log fetch from other DC ASR router)

-----

aaa new-model

!

!

aaa group server tacacs+ ACS

server xxxxxxxxxxxx

server xxxxxxxxxxxx

ip vrf forwarding Mgmt-intf

!

aaa authentication login default group ACS local

aaa authentication login console group ACS local

aaa authorization console

aaa authorization exec default group ACS local

aaa authorization exec console if-authenticated

aaa authorization commands 1 default group ACS local

aaa authorization commands 15 default group ACS local

!

!

!

!

!

aaa session-id common

clock timezone CST -6 0

clock summer-time CDT recurring

ip source-route

!

!

aaa group server tacacs+ ACS

ip tacacs source-interface GigabitEthernet0

deny   tcp any any eq tacacs

deny   tcp any eq tacacs any

tacacs-server host xxxxxxxxxxxx key xxxxxx

tacacs-server host xxxxxxxxxxxx key xxxxxx

tacacs-server directed-request

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Gabriel Hill
Level 1
Level 1
In response to balakrishnansenthil

‎02-13-2013 08:01 PM

Yes, configure the device in tacacs with the key, then configure the device with that tacacs server (with the same key).

You can use whatever key you like. If you want all your devices to use the same key you can do that, as long as the key matches between the tacacs server and the device.

If you have enabled some devices with TACACS and you know the key but haven't added them to the TACAS server yet, you can add these devices to your TACACS server with the key you already configured them with and it will work just fine.

-Gabriel

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Gabriel Hill
Level 1
Level 1

‎02-13-2013 07:22 PM

Hello Senthilkumar,

Your config looks okay. Your telnet/ssh sessions will authenticate / authorize from your TACACS servers unless the ASR cannot reach them, then will authenticate / authorize from your local DB on the router. Console is set the same way, only with authorization set to automatically allow upon successful login.

My suggestions:

I normally leave the console set for local only. Also configuring "aaa authorization console" can be a little risky. I would suggest leaving console authorization off.

You said "also i need to know what is the usage of key, we need a separate key for every device?"

I assume when you say usage key you mean:

tacacs-server host xxxxxxxxxxxx key xxxxxx

tacacs-server host xxxxxxxxxxxx key xxxxxx

If so, the key you specify here will match the key you specify in the TACACS server for that device. If the key doesn't match, the device will not authenticate/authorize against your TACACS server.


Hope this helps,
Gabriel

Go to solution
balakrishnansenthil
Level 1
Level 1
In response to Gabriel Hill

‎02-13-2013 07:55 PM

Thanks Gabriel,

You mean we need do assign first KEY for this device in the TACACS server then we can config mentioned KEY in this device.

Am i right?...

We already enabled TACACS on some ASR router in other DC, Can i use the same KEY? or.

Thanks....

Regards,

Senthil

0 Helpful

Go to solution
Gabriel Hill
Level 1
Level 1
In response to balakrishnansenthil

‎02-13-2013 08:01 PM

Yes, configure the device in tacacs with the key, then configure the device with that tacacs server (with the same key).

You can use whatever key you like. If you want all your devices to use the same key you can do that, as long as the key matches between the tacacs server and the device.

If you have enabled some devices with TACACS and you know the key but haven't added them to the TACAS server yet, you can add these devices to your TACACS server with the key you already configured them with and it will work just fine.

-Gabriel

0 Helpful

Go to solution
balakrishnansenthil
Level 1
Level 1
In response to Gabriel Hill

‎02-13-2013 10:42 PM

Thanks Gabriel,

The command "aaa authorization console" if use this one will be a problem?...

Regards,

Senthil

0 Helpful

Go to solution
Gabriel Hill
Level 1
Level 1
In response to balakrishnansenthil

‎02-14-2013 05:36 AM

In my personal opinion, I wouldn't recommend it. The console needs to be secure, but having it authenticate/authorize against an tacacs server can be risky (misconfiguration can lead to nightmare). I always keep the console protected with local login only, no authorization. Your config looks okay, as the authorization is set to "if-authenticated

". aaa authorization exec console if-authenticated. It has always just made me nervous to restrict the console down so much, but to each there own.

I usually add a separate authentication policy like this:

aaa authentication login LoginLocal local none

line console 0

login authentication LoginLocal

privilege level 15

- Gabriel

Go to solution
balakrishnansenthil
Level 1
Level 1
In response to Gabriel Hill

‎02-14-2013 08:58 PM

Thanks Gabriel,

But I can see in our other DC's they follow the same config that's why I am going to follow the same.

I have one doubt :

Can I do the config  via console or remote login.

is not be a problem right?

If any problem i need to know the local username/Password.

How to create local username password.

Thanks....

regards,

Senthil

0 Helpful

Go to solution
balakrishnansenthil
Level 1
Level 1
In response to balakrishnansenthil

‎02-15-2013 03:42 AM

Hi,

I configured like below but still am not able to login through TACACS...

is it problem in our config or in TACACS server(ACS).

Logs;

-----

aaa new-model

!

!

aaa group server tacacs+ ACS

server xxxxxxxxxx

server xxxxxxxxxx

ip vrf forwarding Mgmt-intf

ip tacacs source-interface GigabitEthernet0

!

aaa authentication login default group ACS local

aaa authentication login console group ACS local

aaa authorization console

aaa authorization exec default group ACS local

aaa authorization exec console if-authenticated

aaa authorization commands 1 default group ACS local

aaa authorization commands 15 default group ACS local

!

!

!

!

!

aaa session-id common

ip source-route

!

tacacs-server host xxxxxxxxx key 7 xxxxx

tacacs-server host xxxxxxxxx key 7 xxxxx

tacacs-server directed-request

!

0 Helpful

Go to solution
Gabriel Hill
Level 1
Level 1
In response to balakrishnansenthil

‎02-15-2013 05:21 AM

Yes you certainly need a local user account.

"username balakrishnan password example12345"

Make sure that in your tacacs server the IP address specified is the IP address associated with "GigabitEthernet0" because that's where you've configured the source interface.

TACACS has a monitoring portion where you can look at the failed authentication and the reason behind it. I don't have access to to an ACS server at the moment but I believe you go to "Monitoring & Report Viewer" then there is a tab in there where you can view failed AAA authentication attempts. Try finding that and seeing why your device is failing.

0 Helpful

Go to solution
Suresh Babu
Level 1
Level 1

‎02-15-2013 09:54 AM

Hi,

Is there any specific procedure to follow to configure this AAA like first authentication followed by authorizarion and administration

Regarda
Suresh


Sent from Cisco Technical Support Android App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card