Tacacs Configuration Task List

To configure your router to support TACACS+, you must perform the following tasks:

Step 1 Use the aaa new-model global configuration command to enable AAA, which must be configured if you plan to use TACACS+. For more information about using the aaa new-model command, refer to the link, www.cisco.com/univercd/ cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt1/index.htm.

Step 2 Use the tacacs-server host command to specify the IP address of one or more TACACS+ daemons. The command is as follows:

tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]

Step 3 Use the tacacs-server key command to specify an encryption key to encrypt all exchanges between the network access server and the TACACS+ daemon. This same key must also be configured on the TACACS+ daemon. The actual command is as follows:

tacacs-server key key

The key should match the one used on the TACACS+ daemon.

Step 4 Use the aaa authentication global configuration command to define method lists that use TACACS+ for authentication.

Step 5 Use line and interface commands to apply the defined method lists to various interfaces.

Step 6 To enable authorization, use the aaa authorization global command to configure authorization for the NAS. Unlike authentication, which can be configured per line or per interface, authorization is configured globally for the entire NAS.

Step 7 To enable accounting for TACACS+ connections, use the aaa accounting command. Optional commands include the following:

— Configuring AAA server groups (Optional)

— Configuring AAA server group selection based on DNIS (Optional)

— Specifying TACACS+ authentication (Required)

— Specifying TACACS+ authorization (Optional)

— Specifying TACACS+ accounting (Optional)

Example 5-6 displays a sample configuration of a Cisco router with TACACS+ authentication for PPP.

Example 5-6 TACACS+ Authentication for PPP Example aaa new-model aaa authentication ppp CCIE group tacacs+ local tacacs-server host 10.1.2.3 tacacs-server key cciesarecool interface serial 0 ppp authentication chap pap CCIE

The configuration lines in Example 5-6 are defined as follows:

• The aaa new-model command enables the AAA security services.

• The aaa authentication command defines a method list, CCIE, to be used on serial interfaces running PPP. The keyword group tacacs+ means that authentication is done through TACACS+. If TACACS+ returns an ERROR during authentication, the keyword local indicates that authentication will be attempted using the local database on the NAS. Note that the local database is not used if a REJECT response is received from the security server.

• The tacacs-server host command identifies the TACACS+ daemon as having an IP address of 10.1.2.3. The tacacs-server key command defines the shared encryption key as cciesarecool.

• The interface command selects the line, and the ppp authentication command applies the test method list to this line.

Example 5-7 shows how to configure TACACS+ as the security protocol for PPP authentication using the default method list; it also shows how to configure network authorization through TACACS+.

Example 5-7 Authorization and TACACS+ Example

aaa new-model

aaa authentication ppp default if

needed group tacacs+ local

aaa authorization network default

group tacacs+

tacacs-server host 3.3.3.3

tacacs-server key simoniscool

interface serial 0

ppp authentication default

The lines in the preceding sample configuration are defined as follows:

• The aaa new-model command enables the AAA security services.

• The aaa authentication command defines a method list, default, to be used on serial interfaces running PPP. The keyword default means that PPP authentication is applied by default to all interfaces. The if-needed keyword means that if the user has already authenticated by going through the ASCII login procedure, PPP authentication is not necessary and can be skipped. If authentication is needed, the keyword group tacacs+ means that authentication is done through TACACS+. If TACACS+ returns an ERROR during authentication, the keyword local indicates that authentication will be attempted using the local database on the NAS.

• The aaa authorization command configures network authorization via TACACS+.

• The tacacs-server host command identifies the TACACS+ daemon as having an IP address of 3.3.3.3.

• The tacacs-server key command defines the shared encryption key as simoniscool.

• The interface command selects the line, and the ppp authentication command applies the default method list to this line.

Example 5-8 displays a sample configuration where accounting is also enabled.

Example 5-8 Accounting Example

aaa new-model

aaa authentication ppp default

if-needed

group

tacacs+ local

aaa accounting network default

stop-only

group

tacacs+

tacacs-server host 3.3.3.3

tacacs-server key andrewiscool

interface serial 0

ppp authentication default

The lines in the Example 5-8 configuration are defined as follows:

• The aaa new-model command enables the AAA security services.

• The aaa authentication command defines a method list, default, to be used on serial interfaces running PPP. The keyword default means that PPP authentication is applied by default to all interfaces. The if-needed keyword means that if the user has already authenticated through the ASCII login procedure, PPP authentication is not necessary. If authentication is needed, the keyword group tacacs+ means that authentication is done through TACACS+. If TACACS+ returns an ERROR during authentication, the keyword local indicates that authentication will be attempted using the local database on the NAS.

• The aaa accounting command configures network accounting through TACACS+. In this example, accounting records stop-only, meaning that the session that just terminated will be sent to the TACACS+ daemon whenever a network connection terminates.

• The interface command selects the line, and the ppp authentication command applies the default method list to this line.

NOTE You can define a group of TACACS+ servers by defining the servers with the IOS command, tacacs-server <ip address of server>. For example, to define six servers you would use the IOS configuration:

tacacs-

■ server

host

1.

1.

1

1

tacacs-

■ server

host

2.

2.

2

2

tacacs-

server

host

3.

3.

3

3

tacacs-

server

host

4.

4.

4

4

tacacs-

server

host

5.

5.

5

5

tacacs-

server

host

6.

6.

6

6

tacacs-

server

key

ccie

If the first server does not respond within a timeout period (default 5 seconds), the next server is queried, and so forth.

Typically, the console port is not configured for authorization.

TACACS+ Versus RADIUS

Table 5-4 compares the main differences between TACACS+ and RADIUS.

Table 5-4 TACACS+/RADIUS Comparison

RADIUS

TACACS+

Packet delivery

UDP

TCP

Packet encryption

RADIUS encrypts only the password in the access-request packet from the client to the server.

TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header.

AAA support

RADIUS combines authentication and authorization.

TACACS+ uses the AAA architecture, separating authentication, authorization, and accounting.

Multiprotocol support

None.

TACACS+ supports other protocols, such as AppleTalk, NetBIOS, and IPX.

Router management

RADIUS does not allow users to control which commands can be executed on a router.

TACACS+ allows network administrators control over which commands can be executed on a router.

NOTE You can configure both RADIUS and TACACS+ concurrently on a Cisco router provided that you have defined different list names and applied the list to different interfaces.

NOTE You can download and install a trial copy of Cisco Secure ACS for Windows NT/2000 or UNIX.

This comes with a built-in RADIUS and TACACS+ server. You also need a Cisco router with IOS 12.X with one working Ethernet port. This will reinforce your understanding of the AAA concept. For more information, visit the Cisco Secure Software center at www.cisco.com.

The AAA configuration options are numerous, and those presented in this guide are only a small subset of a larger set you can view online at Cisco's website. Visit the following URL for more quality examples of how AAA, along with RADIUS or TACACS, can be implemented on Cisco IOS routers:

www.cisco.com/cgi-bin/Support/browse/index.pl?i=Technologies&f=1408

The IOS debug command set for RADIUS and TACACS is extensive. Presented here are some common RADIUS and TACACS debug outputs found in real networks.

Example 5-9 displays a sample output from the debug aaa authentication command for a RADIUS login attempt that failed. The information indicates that TACACS is the authentication method used.

Example 5-9 debug aaa authentication

R1# debug aaa authentication

14:02:55: AAA/AUTHEN (164826761): Method=RADIUS 14:02:55: AAA/AUTHEN (164826761): status = GETPASS 14:03:01: AAA/AUTHEN/CONT (164826761): continue_login 14:03:01: AAA/AUTHEN (164826761): status = GETPASS 14:03:04: AAA/AUTHEN (164826761): status = FAIL

Example 5-10 displays a sample output from the debug radius command that shows a successful login attempt, as indicated by an Access-Accept message:

Example 5-10 debug radius Failure

R1# debug

radius

13:59:02

Radius

IPC Send 0.0

0.0:1645, Access

Request

id 0xB, len 56

13:59:02

Attribute 4 6

AC150E5A

13:59:02

Attribute 5 6

0000000A

13:59:02

Attribute 1 6

62696C6C

13:59:02

Attribute 2 1i

0531FEA3

13:59:04

Radius:

Received from

131.108.1.1:1645

Access

Accept, id 0xB, len 26

13:59:04

Attribute 6 6

00000001

Example 5-11 displays a sample output from the debug radius command that shows an unsuccessful login attempt, as indicated by an Access-Reject message.

Example 5-11 debug radius Command

R1# debug

radius

13:57:56

Radius:

IPC Send 0.0.

9.0:1645, Access-Request, id 0xA,

len

57

13:57:56

Attribute 4 6

AC150E5A

13:57:56

Attribute 5 6

0000000A

13:57:56

Attribute 1 7

62696C6C

13:57:56

Attribute 2 1

49C28F6C

13:57:59

Radius:

Received from

171.69.1.152:1645, Access-Reject

id

0xA, len 20

0 0

Post a comment