Pages

Wednesday, January 12, 2011

AAA Authentication with ACS - Tacacs


Click here for setting on ACS

aaa new-model

aaa authentication login default group tacacs+

aaa authentication enable default group tacacs+

tacacs-server host 1.1.1.1

Tacacs-server host 2.2.2.2

tacacs-server key secret

Tacacs-server attempts 3

end


Once you configure aaa authentication, router start to ignore local pwd for all line (vty, console etc..)

2nd and 3rd line tell router to use tacacs server (for login and enable)

define your tacac server, can put more than server for failover purpose.. Router will try sequentially

Define your key or pwd for this router to communicate w/ tacacs server, both side must be same

3 attempt before session dropped



Another way to define tacacs server is by grouping it

aaa group server tacacs+ groupA

server 1.1.1.1

server 2.2.2.2

Then remove this line


tacacs-server host 1.1.1.1 (and 2.2.2.2)

And replaceTacacs+ word with group name


aaa authentication login default group groupA



What if there's no connection to tacacs+ server at all, for whatever reason..

Solution is, add another method after tacacs+, should tacacs+ unreachable router will try the next method in yellow


aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

This mean that if tacacs fail to reach.. Then router will prompt for enable password

List of methods

tacacs+

TACACS+ authentication

radius

RADIUS authentication

line

Line-based authentication (password)

local

Local username authentication

local-case

Case-sensitive local authentication

enable

Enable password or enable secret

none

No authentication

In my environment we prefer Console line to use local password, this is how to do it


Add new authorization group, define it to use method local

aaa authentication login default group tacacs+

aaa authentication enable default group tacacs+

aaa authentication login groupB local

..

Nothing happen yet until you put this line

line con 0

login authentication groupB


Once user console to router, this line will tell that console is under groupB, and this group use method local
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)