TACACS+, Part 3: Network device config

In this final post about TACACS+, I’ll go into detail about the router/switch configuration, including an ASA and Dell PowerConnect switches. In case you missed the previous two posts, you can find them here:

TACACS+ Part 1 – Choosing the Version

TACACS+ Part 2 – tac_plus install and config

For routers and switches, there are three important config components; aaa new-model, tacacs-server and line configuration. The config snippet below configures all three, and also sets up TACACS+ for use on the console port as well. In the ‘aaa authentication’ section, the router is set to call the TACACS+ server first, and if no valid usernames are found, check local usernames.

Although, I discovered some interesting behavior: the router will always attempt to contact the TACACS+ server, even if its unreachable. And the only time the local usernames will work is when the TACACS+ server can’t be reached.

So far, this snippet has worked on IOS 12.2, 12.4 and 15.0.

aaa new-model
aaa authentication login tac_plus1 group tacacs+ local
aaa authorization console
aaa authorization exec tac_plus2 group tacacs+ local
tacacs-server host
tacacs-server host
tacacs-server key **password_goes_here**
line con 0
 authorization exec tac_plus2
 login authentication tac_plus1
line vty 0 4
 authorization exec tac_plus2
 login authentication tac_plus1
 transport input telnet ssh

On Dell PowerConnect switches, the configuration is a little easier, save for specifying the TACACS+ port number, and including a source address for the traffic.

aaa authentication login tac_plus1 tacacs local
tacacs host port-number 49 priority 10
tacacs host port-number 49 priority 20
tacacs key **password_goes_here**
tacacs source **mgmt_ip_address**
line telnet
login authen tac_plus1
line ssh
login authen tac_plus1
line con
login authen tac_plus1

And finally, directions for the ASA. No doubt security blue bloods will decry me for using the ASDM (“Real pros use cli…”), but I find it easier to visualize the rules sets in ASDM versus cli. These directions won’t elevate your login permission to level 15 though, so you’ll still have to enter the enable secret on the cli. If you figure out how to elevate the login permission, let me know!

1. Create a AAA_Server Group for the tac_plus servers
2. Go to AAA_Access and set the Server Group for
   ASDM,https and serial access under the Authentication tab.

6 thoughts on “TACACS+, Part 3: Network device config

  1. Pingback: TACACS+, Part 2: tac_plus install and config « GatesTec

  2. Kemal

    Hello… The configuration for the tacacs on the switch works good.. the only issue that I am having is that it wont authenticate the enable password from the tacacs, instead it is using the local enable password that is configured on the local database

  3. Chad Gates Post author

    Kemal, you could have a couple problems. First log onto your tac_plus server and tail your syslog (tail /var/log/syslog) to see if your switch is even trying to authenticate against your tac_plus server. If it isn’t, you probably have a connectivity or switch config error. If you CAN authenticate against your tac_plus server, then explore the error message in the log. It could be a misconfig in the tac_plus.cfg file, or possibly an Acitve Directory error, if you are using AD as a backend.

    1. Kemal

      Hi Chad,

      I am able to authenticate using my tacacs server, (the initial log in) but once I’m in the switch and type in enable its not asking for the enable password from the tacacs server, instead its asking for the local enable password. I can bypass that by using this command:

      aaa authentication enable default none

      what is the command to enforce the tacacs enable password. it works on the cisco switch but I never worked on a dell switch before.


      1. Kemal

        This command should let me authenticate the enable password using the tacacs server
        aaa authentication enable default tacacs enable

        but this is not working on the dell switch. It is asking me for the local enable password. any thoughts?

  4. Chad Gates Post author

    This is a great question, but I don’t have a direct answer because you’ve gone further than I did. It didn’t occur to me to use a tacacs-provided enable password. Instead, I used elevated login permissions (level 15) for the admin-class logins, and for technician-class logins (level 5), I used the local enable password. If you find an answer, please let me know!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s