cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1814
Views
6
Helpful
4
Replies

tacacs for a device

suthomas1
Level 6
Level 6

i have to add a network device into tacacs to use standard logins. i am doing it for the first time, Would the following configuration be sufficient for this network switch to be used via tacacs:

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa accounting commands 15 XYZ stop-only group tacacs+

!

!

!

aaa session-id common

tacacs-server host 172.16.100.26

tacacs-server key 7 XXXXXX

Apart from this , does anything needs to be done on the cisco ACS for this to work.

Please help.

TIA

1 Accepted Solution
4 Replies 4

Edison Ortiz
Hall of Fame
Hall of Fame

Make sure you also have create a local account on this device for fallback authentication with privilege of 15.

At the ACS, this device needs to be authorized so it must be created manually unless you are allowing all devices in your network with that key to use the ACS server.

Most networks, the security is very tight so you often seen sourcing the TACACS communication from the router's loopback to the ACS server and the loopback is the IP address to be used at the ACS server for device association.

Regards,

In addition to the good suggestions from Edison I would comment on 2 of your aaa configuration commands.

aaa authorization console

By default IOS does not perform authorization on the console. If you want to perform authorization on the console then this is the command to do it. I would suggest that you start without this command in the config.Do the testing to verify that aaa is working ok with TACACS and then add the console authorization. With this command in the config you have a risk of locking yourself out of the console if there are problems with aaa and TACACS.

aaa authorization exec default group tacacs+ local

I have seen some difficulties using local as the backup method for authorization. I have had better success with this version of a backup method

aaa authorization exec default group tacacs+ if-authenticated.

HTH

Rick

HTH

Rick

Thanks Edison,Rick.

I havent been very familiar with ACS. how do i see if all network devices are authorized with key for using acs server & if not, how to authorize this device on the acs.

TIA