Tacacs Configuration Task List

To configure your router to support TACACS+, you must perform the following tasks:

Step 1 Use the aaa new-model global configuration command to enable AAA, which must be configured if you plan to use TACACS+. For more information about using the aaa new-model command, refer to http://www.cisco.com/univercd/cc/td/doc/ product/software/ios121/121cgcr/secur_c/scprt1/scdaaa.htm.

Step 2 Use the tacacs-server host command to specify the IP address of one or more TACACS+ daemons:

tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]

Use the tacacs-server key command to specify an encryption key to encrypt all exchanges between the NAS and the TACACS+ daemon. This same key must also be configured on the TACACS+ daemon. The actual command is as follows:

tacacs-server key key

The key should match the one used on the TACACS+ daemon.

Use the aaa authentication global configuration command to define method lists that use TACACS+ for authentication.

Use line and interface commands to apply the defined method lists to various interfaces.

To enable authorization, use the aaa authorization global command to configure authorization for the NAS. Unlike authentication, which can be configured per line or per interface, authorization is configured globally for the entire NAS.

To enable accounting for TACACS+ connections, use the aaa accounting command. Optional commands include the following:

• Configuring AAA server groups (Optional)

• Configuring AAA server group selection based on Dialed Number Identification Service (DNIS) (Optional)

• Specifying TACACS+ authentication (Required)

• Specifying TACACS+ authorization (Optional)

• Specifying TACACS+ accounting (Optional)

Example 4-5 displays a sample configuration of a Cisco router with TACACS+ authentication for PPP.

Example 4-5 TACACS+ Authentication for PPP Example aaa new-model aaa authentication ppp CCIE group tacacs+ local tacacs-server host 10.1.2.3 tacacs-server key cciesarecool interface serial 0 ppp authentication chap pap CCIE

The configuration lines in Example 4-5 are defined as follows:

■ The aaa new-model command enables the AAA security services.

■ The aaa authentication command defines a method list, CCIE, to be used on serial interfaces running PPP. The keyword group tacacs+ means that authentication is done through TACACS+. If TACACS+ returns an ERROR during authentication, the keyword local indicates that authentication will be attempted using the local database on the NAS. Note that the local database is not used if a REJECT response is received from the security server.

Step 3

Step 4 Step 5 Step 6

Step 7

■ The tacacs-server host command identifies the TACACS+ daemon as having an IP address of 10.1.2.3. The tacacs-server key command defines the shared encryption key as cciesarecool.

■ The interface command selects the line, and the ppp authentication command applies the CCIE method list to this line.

Example 4-6 shows how to configure TACACS+ as the security protocol for PPP authentication using the default method list; it also shows how to configure network authorization through TACACS+.

Example 4-6 Authorization and TACACS+ Example

aaa new-model

aaa authentication ppp default if

needed group tacacs+ local

aaa authorization network default

group tacacs+

tacacs-server host 3.3.3.3

tacacs-server key simoniscool

interface serial 0

ppp authentication default

The lines in the preceding sample configuration are defined as follows:

■ The aaa new-model command enables the AAA security services.

■ The aaa authentication command defines a method list, default, to be used on serial interfaces running PPP. The keyword default means that PPP authentication is applied by default to all interfaces. The if-needed keyword means that if the user has already authenticated by going through the ASCII login procedure, PPP authentication is not necessary and can be skipped. If authentication is needed, the keyword group tacacs+ means that authentication is done through TACACS+. If TACACS+ returns an ERROR during authentication, the keyword local indicates that authentication will be attempted using the local database on the NAS.

■ The aaa authorization command configures network authorization via TACACS+.

■ The tacacs-server host command identifies the TACACS+ daemon as having an IP address of 3.3.3.3.

■ The tacacs-server key command defines the shared encryption key as simoniscool.

■ The interface command selects the line, and the ppp authentication command applies the default method list to this line.

The source interface used by TACACS+ or RADIUS can be defined when required as follows:

ip tacacs source-interface subinterface-name ip radius source-interface subinterface-name

The source-interface commands force the security protocol to use a specific interface as the source IP address. For example, it may be a loopback address (remember, it is always active, unlike a physical interface, which may fail or be down) for redundancy purposes in case of a physical interface failure.

Example 4-7 displays a sample configuration where accounting is also enabled.

Example 4-7 Accounting Example

aaa new-model

aaa authentication ppp default

if-needed group tacacs+ local

aaa accounting network default

stop-only group tacacs+

tacacs-server host 3.3.3.3

tacacs-server key andrewiscool

interface serial 0

ppp authentication default

The lines in the Example 4-7 configuration are defined as follows:

■ The aaa new-model command enables the AAA security services.

■ The aaa authentication command defines a method list, default, to be used on serial interfaces running PPP. The keyword default means that PPP authentication is applied by default to all interfaces. The if-needed keyword means that if the user has already authenticated through the ASCII login procedure, PPP authentication is not necessary. If authentication is needed, the keyword group tacacs+ means that authentication is done through TACACS+. If TACACS+ returns an ERROR during authentication, the keyword local indicates that authentication will be attempted using the local database on the NAS.

■ The aaa accounting command configures network accounting through TACACS+. In this example, accounting records stop-only, meaning that the session that just terminated will be sent to the TACACS+ daemon whenever a network connection terminates.

■ The interface command selects the line, and the ppp authentication command applies the default method list to this line.

NOTE You can define a group of TACACS+ servers by defining the servers with the IOS commands tacacs-server host ip-address-of-server and tacacs-server key secret-key. For example, to define six servers, you would use the following IOS configuration:

tacacs-

server

host

1.

.1.

1

1

tacacs-

server

host

2.

.2.

2

2

tacacs-

server

host

3.

.3.

3

3

tacacs-

server

host

4.

.4.

4

4

tacacs-

server

host

5.

5.

5

5

tacacs-

server

host

6.

6.

6

6

tacacs-

server

key

ccie

If the first server does not respond within a timeout period (the default is 5 seconds), the next server is queried, and so forth.

Typically, the console port is not configured for authorization.

0 0

Post a comment