|
|
This chapter describes the Terminal Access Controller Access Control System Plus (TACACS+), a Cisco proprietary version of TACACS.
TACACS+ provides the means to manage network security (authentication, authorization, and accounting [AAA]) from a server. This section describes how TACACS+ works and how you can configure it. For complete syntax and usage information for the commands described in this chapter, refer to the Cisco IOS Desktop Switching Command Reference or to the "Security" chapter of the Cisco IOS 11.3 Command Summary.
These sections describe how to configure TACACS+:
In large enterprise networks, the task of administering passwords on each device can be simplified by doing the user authentication centrally on a server. TACACS+ is an access-control protocol that allows a switch to authenticate all login attempts through a central authentication server. The network administrator configures the switch with the address of the TACACS+ server, and the switch and the server exchange messages to authenticate each user before allowing access to the management console.
TACACS+ consists of three services: authentication, authorization, and accounting. Authentication is the action of determining who the user is and whether he or she is allowed access to the switch. Authorization is the action of determining what the user is allowed to do on the system. Accounting is the action of collecting data related to resource usage.
The following sections describe how to configure the primary features of AAA/TACACS+:
Use the aaa new-model command to enable AAA/TACACS+. Enter the following commands in global configuration mode:
| Task | Command |
|---|---|
Enable AAA/TACACS+. |
Using the aaa authentication login command and the following keywords, you create one or more lists of authentication methods that are tried at login. The lists are used with the login authentication line configuration command.
Enter the following command in global configuration mode to enable authentication for login:
Switch# aaa authentication login {default | list-name} method1 [...[method3]]
The keyword list-name is any character string used to name the list you are creating. The method keyword refers to the actual method the authentication algorithm tries, in the sequence entered. You can enter up to three methods:
| Keyword | Description |
|---|---|
line | Uses the line password for authentication. |
local | Uses the local username database for authentication. |
tacacs+ | Uses TACACS+ authentication. |
To create a default list that is used if no list is specified in the login authentication command, use the default argument followed by the methods you want used in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication succeed even if all methods return an error, specify none as the final method in the command line.
You can use the aaa authorization command with the tacacs+ keyword to set parameters that restrict a user's network access to Cisco IOS privilege mode (EXEC access) and to network services such as Serial Line Internet Protocol (SLIP), Point to Point Protocol (PPP) with Network Control Protocols (NCPs), and AppleTalk Remote Access (ARA).
The aaa authorization exec tacacs+ local command sets the following authorization parameters:
To specify TACACS+ authorization for EXEC access and network services, perform the following tasks in global configuration mode:
| Task | Command |
|---|---|
User TACACS+ authorization for all network-related service requests, including SLIP, PPP NCPs, and ARA protocol. | aaa authorization network tacacs+ |
User TACACS+ authorization to determine if the user is allowed EXEC access. This keyword might return user profile information (such as autocommand information). | aaa authorization exec tacacs+ |
You use the aaa accounting command with the tacacs+ keyword to turn on TACACS+ accounting for each Cisco IOS privilege level and for network services.
To use TACACS+ accounting to send a start-record accounting notice at the beginning of an EXEC process and a stop-record at the end, enter the following command in global configuration mode:
Switch# aaa accounting exec start-stop tacacs+
To use TACACS+ to account for all network-related service requests, including SLIP, PPP, and PPP NCPs, perform the following task in global configuration mode:
Switch# aaa accounting network start-stop tacacs+
Use the tacacs-server host command to specify the names of the IP host or hosts maintaining a AAA/TACACS+ server. On TACACS+ servers, you can configure the following additional options:
You can use the tacacs-server retransmit command to change the number of times the system software searches the list of TACACS servers (the default is two) and the interval it waits for a reply (the default is 5 seconds).
Perform the following tasks in global configuration mode:
| Task | Command |
|---|---|
Step 1 Define a TACACS+ host. Entering the timeout and key parameters with this command overrides the global values that you can enter with the tacacs-server timeout (Step 3) and the tacacs-server key commands (Step 5). | |
Step 2 Enter the number of times the server searches the list of TACACS+ servers before stopping. | |
Step 3 Set the interval the server waits for a TACACS+ server host to reply. | |
Step 4 Set the number of login attempts that can be made on the line. | tacacs-server attempts count |
Step 5 Define a set of encryption keys for all TACACS+ and communication between the access server and the TACACS daemon. (Repeat the command for each encryption key.) | tacacs-server key key |
Step 6 Return to privileged EXEC mode. | exit |
Step 7 Confirm the TACACS+ server information and display statistics in privileged EXEC mode. | show tacacs |
You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. Authentication and authorization are then handled by the switch. No accounting is available in this configuration.
Perform the following tasks in global configuration mode:
| Task | Command |
|---|---|
Step 1 Enable AAA. | |
Step 2 Set login authorization to default to local. | |
Step 3 User AAA authorization for all network-related service requests, including SLIP, PPP NCPs, and ARA protocol. | aaa authorization exec local |
Step 4 User AAA authorization to determine if the user is allowed to run an EXEC shell. | aaa authorization network local |
Step 5 Enter the local database. (Repeat the command for each user.) | username name password password privilege level (0 to 15) |
Posted: Wed May 26 12:01:32 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.