IOS Setup for AAA TACACS+ « icastenetworks.com Blog

IOS Setup for AAA TACACS+

Overview

IOS AAA config to force all login authentication, enable authentication, command authorization and log all level 15 commands via TACACS. A back door account is added to allow access only if the TACACS server is unreachable.

Only tested in LAB environment, use at your own risk.
Using Cisco ACS 5.1 TACAS+ Server
Authenticate using TACACS Server or local if TACACS server is unreachable.
Authorize Commands using TACACS server or none if TACACS server is unreachable.
Log all privilege level 15 commands to TACACS server

IOS Config

Setup Backup Accounts

! CONFIG AN ENABLE PASSWORD LOCALLY FOR BACKUP
enable secret 5 $1$TvWE$xzTLJBX/FVKeRrAgkgW7E/

! ADD BACKUP ACCOUNT, USED WHEN TACACS SERVER IS UNREACHABLE
username BackDoorAcc privilgae 15 secret MyPass

Setup AAA Options

! ENABLE AAA
aaa new-model

! LOGIN AUTHENTICATE TO TACACS SERVER, THEN LOCAL
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable

! AUTHORIZE ALL COMMANDS LEVEL 0,1 ,15 BY TACACS SERVER
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none

! LOG ALL LEVEL 15 COMMANDS TO TACACS SERVER
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

Setup TACACS Server Details

! ADD TACACS SERVER
tacacs-server host 172.16.4.50 key ciscokey

This entry was posted on Wednesday, February 9th, 2011 at 6:41 pm and is filed under General IT Networks & Networking, Network Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “IOS Setup for AAA TACACS+”

Ra says:

June 7, 2011 at 2:34 am

hi, do you have any idea about adding vendor specific attributes in tacacs server?