In this final post about TACACS+, I’ll go into detail about the router/switch configuration, including an ASA and Dell PowerConnect switches. In case you missed the previous two posts, you can find them here:
TACACS+ Part 1 – Choosing the Version
TACACS+ Part 2 – tac_plus install and config
For routers and switches, there are three important config components; aaa new-model, tacacs-server and line configuration. The config snippet below configures all three, and also sets up TACACS+ for use on the console port as well. In the ‘aaa authentication’ section, the router is set to call the TACACS+ server first, and if no valid usernames are found, check local usernames.
Although, I discovered some interesting behavior: the router will always attempt to contact the TACACS+ server, even if its unreachable. And the only time the local usernames will work is when the TACACS+ server can’t be reached.
So far, this snippet has worked on IOS 12.2, 12.4 and 15.0.
aaa new-model ! aaa authentication login tac_plus1 group tacacs+ local aaa authorization console aaa authorization exec tac_plus2 group tacacs+ local ! tacacs-server host 192.168.1.1 tacacs-server host 192.168.1.2 tacacs-server key **password_goes_here** ! line con 0 authorization exec tac_plus2 login authentication tac_plus1 line vty 0 4 authorization exec tac_plus2 login authentication tac_plus1 transport input telnet ssh
On Dell PowerConnect switches, the configuration is a little easier, save for specifying the TACACS+ port number, and including a source address for the traffic.
conf ! aaa authentication login tac_plus1 tacacs local tacacs host 192.168.1.1 port-number 49 priority 10 tacacs host 192.168.1.2 port-number 49 priority 20 tacacs key **password_goes_here** ! tacacs source **mgmt_ip_address** ! line telnet login authen tac_plus1 line ssh login authen tac_plus1 line con login authen tac_plus1
And finally, directions for the ASA. No doubt security blue bloods will decry me for using the ASDM (“Real pros use cli…”), but I find it easier to visualize the rules sets in ASDM versus cli. These directions won’t elevate your login permission to level 15 though, so you’ll still have to enter the enable secret on the cli. If you figure out how to elevate the login permission, let me know!
1. Create a AAA_Server Group for the tac_plus servers 2. Go to AAA_Access and set the Server Group for ASDM,https and serial access under the Authentication tab.