Configuring TACACS: Step by Step

TACACS is a protocol that is used for the AAA process. If you are unfamiliar with the AAA process, you can click here for a brief explanation on what that is.

This post will go through the configuration of TACACS on a Cisco device to authenticate with an AAA server (Cisco ISE for example) and what the configuration means.

Here’s a summary of the steps:

  1. Enable AAA
  2. Add Servers
  3. Add Servers to Server Group
  4. Add Server Group to Method List
    • Authentication – Check Login with ISE
    • Authentication – Check Login with ISE (with Local Fallback!)
    • Authorization – Commands (with Local Fallback!)
    • Accounting – Log all Commands
  5. Apply Login Method Lists to Terminal Interfaces

1. Enabling AAA on the Device

Using a single, small command in global config mode, we can enable AAA on the device.

aaa new-model

This then allows us to use the rest of the AAA commands for us to implement on the device.

2. Add Servers

We will need to add the servers that we are using for AAA (in our case, Cisco ISE) to our device in order for it to communicate with it.

tacacs server [NAME 1]
     address [IP PROTOCOL] [IP ADDRESS 1]
     key [SHARED KEY 1]

tacacs server [NAME 2]
     address [IP PROTOCOL] [IP ADDRESS 2]
     key [SHARED KEY 2]

tacacs server [NAME 3]
     address [IP PROTOCOL] [IP ADDRESS 3]
     key [SHARED KEY 3]

You can get the shared key from Cisco ISE under the Device Properties.

3. Add Servers to Server Group

Next, we need to add each of the individual ISE servers into a group.

The benefit of adding them into a group is so that if one of them is unreachable for whatever reason, the next server will be tried until a connection is established.

aaa group server tacacs+ [GROUP NAME]
     server name [NAME 1]
     server name [NAME 2]
     server name [NAME 3]

You can see that instead of the IP address, we referenced the name of the server we mentioned in the previous step.

As always, remember to give the group a logical name!

4. Add Server Group to Method List

Now we want to define when we want to contact the ISE server and for what scenario. These conditions are called Method Lists.

We can configure just any combination of Authentication, Authorisation or Accounting.

Authentication – Check Login with ISE

If we want to configure authentication to use our ISE Server Group, we can use the below method list:

aaa authentication login default group [GROUP NAME]

Authentication – Check Login with ISE (with Local Fallback!)

The above command is valid, but it means that if for any reason all of your ISE servers are down, you wont be able to log in to your device!

For this reason it is best practise to add local account fallback. So if all the ISE server options are exhausted, you will be prompted to log in with a pre-configured local account.

aaa authentication login [GROUP NAME 2] group [GROUP NAME] local

You will see that we had to make a new group name (Group Name 2) which contained login options for our original server and local fallback.

Since it is better practise, we can use this instead of the previous Authentication Method List above.

Authorization – Commands (with Local Fallback!)

We can also add a method list to ensure that users are authorized to run commands.

aaa authorization exec default group [GROUP NAME] local

We have added local account fallback too.

Accounting – Log all Commands

As part of Accounting, we can make sure to log all commands entered on the device.

aaa accounting commands 0 default start-stop group [GROUP NAME]
aaa accounting commands 1 default start-stop group [GROUP NAME]
aaa accounting commands 15 default start-stop group [GROUP NAME]

What we have said here is that we want to log all level 0, 1 and 15 commands to the TACACS server group we configured.

To remind ourselves:

LevelPrivilege
0disable, enable, exit, help, and logout
1User Exec Mode (Device>)
15Privileged Exec (Device#)

Note that Level 15 includes config terminal commands also.

Method List Summary

After all our configuration above, our Method Lists look like this:

aaa authentication login [GROUP NAME 2] group [GROUP NAME] local
aaa authorization exec default group [GROUP NAME] local
aaa accounting commands 0 default start-stop group [GROUP NAME]
aaa accounting commands 1 default start-stop group [GROUP NAME]
aaa accounting commands 15 default start-stop group [GROUP NAME]

Now we just need to apply our login method to work when someone connects.

5. Apply Login Method Lists to Terminal Lines

For our Authentication method lists that we previously configured, we will need to add it to our Terminal Lines for it to work.

line vty 0 15
     login authentication [GROUP NAME 2]

Finish

Done! Now when we go to log on to our device:

  • We will be authenticated against our ISE server
    • If ISE is down, we can authenticate locally
  • We are authorised to run exec level commands
    • If ISE is down, we can authorize locally
  • All commands entered are being logged



Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Ads