TACACS+ Cisco IOS – Routers & Switches

by

TACACS+ can be used to perform the device administration of Cisco IOS device like routers & switches. Using TACACS+ server we can create granular policies on TACACS+ server for different set of users.

In this post we will configure Cisco router for TACACS+ authentication the same configuration can be used on a Cisco switch as well. The TACACS+ server used in this example is Cisco ISE. Configuration of the Cisco ISE will discussed on a separate post.

Note: Ensure connectivity between the Router/Switch with the TACACS+ server on TCP port 49 is open. Take a configuration backup before configuring TACACS+ on the device. If TACACS+ is not configured properly then you may loose access to the device. Ensure you follow all steps and don’t save the configuration until all the testing is done. Not saving the configuration make recovery easy, just reloading of the device is needed.

Step 1> Take console or ssh access of the device.

Step 2> Create a local username and password on the device for fallback purpose.

R1#
R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#username xxxx password xxxx
R1(config)#

Step 3> Enable AAA new model on the device.

R1(config)#aaa new-model

Step 4> Define TACACS+ servers and create a group:

R1(config)#tacacs server TACACS-Server-1
R1(config-server-tacacs)#address ipv4 10.126.104.51
R1(config-server-tacacs)#key 0 cisco

R1(config)#tacacs server TACACS-Server-2
R1(config-server-tacacs)#address ipv4 10.126.104.50
R1(config-server-tacacs)#key 0 cisco

R1(config)#aaa group server tacacs+ TACACS-Group
R1(config-sg-tacacs+)#server name TACACS-Server-1
R1(config-sg-tacacs+)#server name TACACS-Server-2

Step 5>Test the connectivity with TACACS+ server before configuring other things. 

R1#test aaa group tacacs+ randomusername randompassword port 49 new-code
User rejected

R1#

Note: Ensure you see the logs on the TACACS+ server this will make sure there is connectivity till TACACS+ server.

Step 6> Now enable authentication for ssh login and enable password authentication against TACACS+ server.

R1(config)#
R1(config)#aaa authentication login default group TACACS-Group local
R1(config)#aaa authentication enable default group TACACS-Group none

Step 7> Try to login to the device via SSH and validate if the login works.

Step 8> This is optional step but if command authorization is need then these command can be added.

R1(config)#aaa authorization commands 0 default group TACACS-Group local
R1(config)#aaa authorization commands 1 default group TACACS-Group local
R1(config)#aaa authorization commands 15 default group TACACS-Group local

commands 15 - means authorization for command level 15 will be done. 
TACACS-Group local - means untill TACACS-Group is available then TACACS+ server is used otherwise local authorization will be done.

Step 9> This is optional step but if command accounting is need then these command can be added.

R1(config)#aaa accounting commands 0 default start-stop group TACACS-Group
R1(config)#aaa accounting commands 1 default start-stop group TACACS-Group
R1(config)#aaa accounting commands 15 default start-stop group TACACS-Group

commands 15 - means accounting for command level 15 will be done

The commands under configuration mode can also be authorized by using another command “aaa authorization config-commands” This command need to be used at last.

TACACS+ configuration on Cisco IOS is simple. Ensure connectivity is there between the devices, don’t save the config until you do all testing.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.