Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1814
Views
6
Helpful
4
Replies

tacacs for a device

Go to solution
suthomas1
Level 6
Level 6

‎12-04-2010 03:25 AM - edited ‎03-06-2019 02:21 PM

i have to add a network device into tacacs to use standard logins. i am doing it for the first time, Would the following configuration be sufficient for this network switch to be used via tacacs:

aaa new-model

!

!

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization console

aaa authorization exec default group tacacs+ local

aaa accounting commands 15 XYZ stop-only group tacacs+

!

!

!

aaa session-id common

tacacs-server host 172.16.100.26

tacacs-server key 7 XXXXXX

Apart from this , does anything needs to be done on the cisco ACS for this to work.

Please help.

TIA

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
4 Replies 4

Go to solution
Edison Ortiz
Hall of Fame
Hall of Fame

‎12-04-2010 08:06 AM

Make sure you also have create a local account on this device for fallback authentication with privilege of 15.

At the ACS, this device needs to be authorized so it must be created manually unless you are allowing all devices in your network with that key to use the ACS server.

Most networks, the security is very tight so you often seen sourcing the TACACS communication from the router's loopback to the ACS server and the loopback is the IP address to be used at the ACS server for device association.

Regards,

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Edison Ortiz

‎12-04-2010 12:24 PM

In addition to the good suggestions from Edison I would comment on 2 of your aaa configuration commands.

aaa authorization console

By default IOS does not perform authorization on the console. If you want to perform authorization on the console then this is the command to do it. I would suggest that you start without this command in the config.Do the testing to verify that aaa is working ok with TACACS and then add the console authorization. With this command in the config you have a risk of locking yourself out of the console if there are problems with aaa and TACACS.

aaa authorization exec default group tacacs+ local

I have seen some difficulties using local as the backup method for authorization. I have had better success with this version of a backup method

aaa authorization exec default group tacacs+ if-authenticated.

HTH

Rick

HTH

Rick

Go to solution
suthomas1
Level 6
Level 6
In response to Edison Ortiz

‎12-05-2010 03:56 AM

Thanks Edison,Rick.

I havent been very familiar with ACS. how do i see if all network devices are authorized with key for using acs server & if not, how to authorize this device on the acs.

TIA

0 Helpful
Customers Also Viewed These Support Documents