Tacacs+ Configuration on Cisco Switch and Router

June 3, 2017

IT Network

, ,

1. Overview

 

Tacacs Plus is a protocols for security with AAA services which are , authentication, authorization, accounting. It is used as a centralized authentication to network devices. It also can provide a specific authorization with centralized access to particular user to work with network devices. With accounting, it gives a mandatory audit logs by logging all actions executed by privileged users.

In this document will show how to configure Tacacs Plus protocols security on Cisco router and , actually, the same configuration also apply to Cisco switch.

2. Prerequisites

 

In this article of how to configure Tacacs+ protocols security on Cisco router , it is presumed that:

a. You had already installed a tacacs server. If you don’t please kindly check one of the following links.

1. Configuring Tacacs Plus with Tacacs Plus User Authentication on RHEL/CentOS 7
2. Configuring Tacacs Plus with Linux Systems Users Authentication on RHEL/CentOS 7
3. Configuring Tacacs Plus with Active Directory User Authentication on RHEL/CentOS 7

b. You had already configured SSH remote management on your Cisco switch or router. You would probably like to check this link SSH Configuration on Cisco Switch and Router.

3. Configure Tacacs Plus Server

 

Base on the image IOS version that is running on your switch or router, there are two possible way to configure Tacacs Plush server. The following are the commands to configure Tacacs Plus protocols security server if you device is running with IOS version 12.x.

# tacacs-server host 192.168.171.13
# tacacs-server timeout 10
# tacacs-server key TS@123

The following are the commands to configure Tacacs Plus server if you device is running with IOS version 15.x.

# tacacs server TS-AAA
     address ipv4 192.168.171.13
     key TS@123
     timeout 10

Next, let test if we can authenticate with Tacacs Plush server by executing the following command.

# test aaa group tacacs+ tom 4444 legacy

4. Configure Authentication

 

Now it is time to tell the Cisco router or switch to authenticate again user with Tacacs Plus server. The option local instructs the router or switch to fail over to local user accounts if Tacacs Plus centralized access server is not reachable.

# aaa authentication login default group tacacs+ local

Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

5. Configure Authorization

 

When a router or a switch is applied with the authorization commands, the user who is able to login can only execute the amount of a specific commands that are allowed on Tacacs Plus protocols security server.  The option if-authenticated is very important because in case that the router or switch can not reach Tacacs Plus server, You will not be able to execute any commands even from console. Having the option if-authenticated  applied, we will still be able to work with router or switch if the  Tacacs Plus centralized access server is not reachable.

# aaa authorization exec default group tacacs+ local if-authenticated
# aaa authorization commands 0 default group tacacs+ local if-authenticated
# aaa authorization commands 15 default group tacacs+ local if-authenticated
# aaa authorization console

6. Configure Accounting

 

When we apply accounting command on a router or switch, it will start to log all executed command by a particular user to Tacacs Plus server. So, we can know who doing on our network devices.

# aaa accounting exec default start-stop group tacacs+
# aaa accounting commands 0 default start-stop group tacacs+
# aaa accounting commands 15 default start-stop group tacacs+

7. Testing

 

It is strongly recommend to test Tacacs Plus configuration. There are three thing to test as the following.

  1. Test login to your Cisco router or switch using a full privilege account from Tacacs Plus user databases.
  2. Test login to your Cisco router or switch using a limited privilege account from Tacacs Plus user databases and make sure that this account can only execute the commands that are allowed on Tacacs Plus server only.
  3. Test disconnect your switch or router from Tacacs Plus server and make sure that you still be able to work with your switch or router via SSH or direct console using local user database. This is extremely important because in case Tacacs Plus server is unavailable, we still be able to manage our network devices.

8. Conclusion

 

You should be able to configure Tacacs Plus on Cisco router or switch now. Tacacs+ is the only security protocols used to provide centralized access into networks. Hopefully, you can find this article informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments

Related posts:

Tacacs Configuration on Cisco ASA 9.x Troubleshooting Tacacs Authorization Command Issue on Cisco ASA 9.x SSH Configuration on Cisco ASA 9.x Configuring Cisco AnyConnect Remote Access VPN on ASA 9.x