Jump to content

Configure Cisco Hardware for TACACS


wildweaselmi
 Share

Recommended Posts

I'm having a trouble with configuring tacacs+ on a cisco 2948 switch. We have added the following config, but when logging in to the switch, you are still prompted with the Username: prompt. If this login fails it will then go to tacacs. Any ideas what I am missing?

 



#tacacs+
set tacacs server x.x.x.x primary
set tacacs server y.y.y.y
set tacacs server z.z.z.z
set tacacs key xxxxxxx
!
#authentication
set authentication login tacacs enable console primary
set authentication login tacacs enable telnet primary
set authentication login tacacs enable http primary
set authentication enable tacacs enable console primary
set authentication enable tacacs enable telnet primary
set authentication enable tacacs enable http primary


Link to comment
Share on other sites

  • 2 years later...

Here is how you configure TACACS+ for Cisco IOS device


 





!!!!TACACS_IOS

!

!--- Enable TACACS+ on the device.

aaa new-model

aaa group server tacacs+ tacacs_acs

aaa authentication login linecon group tacacs+ local

aaa authentication login linevty group tacacs+ local

aaa authorization exec default local

aaa authorization exec execauthnone none

aaa authorization exec execauth group tacacs+

aaa authorization commands 15 commandauthnone none

aaa authorization commands 15 commandauth group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting send stop-record authentication failure

aaa accounting update newinfo

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 7 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting network 15 start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting connection 15 start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

!

!--- Mention the IP address of the tacacs-servers

tacacs-server host 10.43.208.11

tacacs-server host 10.47.208.11

tacacs-server directed-request

tacacs-server key DPSWy1qpokXT


 


Here is how you configure TACACS+ for Cisco Nexus (NX-OS) device





!!!!TACACS_NX-OS

!

!--- Enable TACACS+ on the device.

feature tacacs+

tacacs-server host 10.0.0.1 key 7 DPSWy1qpokXT

tacacs-server host 10.0.0.2 key 7 DPSWy1qpokXT

tacacs-server directed-request





!--- Provide the name of your ACS server.

aaa group server tacacs+ ACS



!--- Mention the IP address of the tacacs-servers

!--- referred to in the "tacacs-server host" command.

server 10.43.208.11

server 10.47.208.11



!--- Telnet and ssh sessions.

aaa authentication login default group ACS local



!--- Console sessions.

aaa authentication login console group ACS local



!--- Accounting command.

aaa accounting default group ACS


NOTE: The Nexus operating system does not use the concept of privilege levels instead it uses roles. By default you are placed in the network-operator role. If you want a user to have full permissions, you must place them in the network-admin role, and you must configure the TACACS server to push down an attribute when the user logs in. For TACACS+, you pass back a TACACS custom attribute with a value of roles="roleA".



For a full access user, you use: cisco-av-pair*shell:roles="network-admin"

cisco-av-pair*shell:roles="network-admin"(The * makes it optional)


shell:roles="network-admin"



Link to comment
Share on other sites

 Share

×
×
  • Create New...