This document provides step-by-step instructions in order to configure
the Cisco VPN 3000 Series Concentrators to support the TACACS+ Authentication
for Management Accounts.
As soon as a TACACS+ server is configured on the VPN 3000 Concentrator,
the locally configured account names and passwords such as admin, config, isp,
and so forth, are no longer used. All logins to the VPN 3000 Concentrator are
sent to the configured external TACACS+ server for user and password
The definition of a privilege level for each user on the TACACS+ server
determines the permissions on the VPN 3000 Concentrator for each TACACS+
username. Then, match that up with the AAA Access Level defined under the
locally configured username on the VPN 3000 Concentrator. This is an important
point because as soon as a TACACS+ server is defined, the locally configured
usernames on the VPN 3000 Concentrator are no longer valid. But, they are still
used only in order to match up the returned privilege level from the TACACS+
server, with the AAA Access Level under that local user. The TACACS+ username
is then assigned the privileges that the locally configured VPN 3000
Concentrator user has defined under their profile.
For example, described in detail in the configuration sections, a
TACACS+ user/group is configured to return a TACACS+ Privilege Level of 15.
Under the Administrators section of the VPN 3000 Concentrator, the admin user
has its AAA Access Level also set to 15. This user is allowed to modify the
configuration under all sections, and to read/write files. Because TACACS+
Privilege Level and AAA Access Level match, the TACACS+ user is given those
permissions on the VPN 3000 Concentrator.
As an example, if you decide that a user needs to be able to modify the
configuration, but not read/write files, assign them a
privilege level of 12 on the TACACS+ server. You can pick any number between
one and 15. Then, on the VPN 3000 Concentrator, pick one of the other locally
configured administrators. Next, set its AAA Access Level to 12, and set the
permissions on this user in order to be able to modify the configuration, but
not to read/write files. Because of the matching privilege/access level, the
user gets those permissions when they login.
The locally configured usernames on the VPN 3000 Concentrator are no
longer used. But, the Access Rights and AAA Access Levels under each of those
users are used in order to define the privileges a particular TACACS+ user gets
when you login.
Ensure that you meet these requirements before you attempt this
Ensure that you have IP connectivity to the TACACS+ server from the
VPN 3000 Concentrator. If your TACACS+ server is towards the public interface,
do not forget to open the TACACS+ (TCP port 49) on the public filter
Ensure backup access via the console is operational. It is easy to
accidentally lock all users out of the configuration when you first set this
up. The only way to recover access is via the console, which still uses the
locally configured usernames and passwords.
The information in this document is based on these software and
Cisco VPN 3000 Concentrator Software Release 4.7.2.B (Alternatively,
any release of 3.0 or later OS software works.)
Cisco Secure Access Control Server for Windows Servers Release 4.0
(Alternately, any release of 2.4 or later software works.)
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
Complete these steps in order to add an entry for the VPN 3000
Concentrator in the TACACS+ server.
Click Network Configuration in the left panel.
Under AAA Clients, click Add Entry.
On the next window, fill out the form to add the VPN Concentrator
as the TACACS+ client. This example uses:
AAA Client Hostname = VPN3000
AAA Client IP Address =
Key = csacs123
Authenticate using = TACACS+ (Cisco
Click Submit + Restart.
Complete these steps in order to add a user account in the TACACS+
Create a user account in the TACACS+ server that can be later used
for TACACS+ authentication. Click User Setup in the left
panel, add user "johnsmith" and click Add/Edit in order to do
Add a password for this user, and assign the user to an ACS group
that contains the other VPN 3000 Concentrator administrators.
Note: This example defines the privilege level under this particular
user ACS group profile. If this is to be done on a per-user basis, choose
Interface Configuration > TACACS+ (Cisco IOS) and check the
User box for the Shell (exec) service. Only then are the
TACACS+ options described in this document available under each user
Complete these steps to edit the group on the TACACS+
Click Group Setup in the left
From the drop-down menu, choose the group the user was added to in
the Add a User Account in the TACACS+ Server
section, which is Group 1 in this example, and click Edit
On the next window, make sure that these attributes are selected
under TACACS+ Settings:
Privilege level = 15
Once done, click Submit + Restart.
Complete these steps in order to add an entry for the TACACS+ server in
the VPN 3000 Concentrator.
Choose Administration > Access Rights > AAA Servers
> Authentication in the navigation tree in the left panel, and then
click Add in the right panel.
As soon as you click Add in order to add this
server, locally configured username/passwords on the VPN 3000 Concentrator are
no longer used. Ensure backup access via the console works in case of a
On the next window, fill out the form as seen here:
Complete these steps to modify the admin account on the VPN
Concentrator for TACACS+ authentication.
Click Modify for the user admin in order to modify
the properties of this user.
Choose the AAA Access Level as
This value can be any number between one and 15. Note that it must
match the TACACS+ Privilege Level defined under the user/group profile on the
TACACS+ server. The TACACS+ user then picks up the permissions defined under
this VPN 3000 Concentrator user for the modification of the configuration,
reading/writing files, and so forth.
There is currently no verification procedure available for this
Complete the steps in these instructions in order to troubleshoot your
In order to test the authentication:
For TACACS+ Servers
Choose Administration > Access Rights > AAA Servers
Select your server, and then click Test.
Note: When the TACACS+ server is configured on the Administration
tab, there is no way to set up the user to authenticate on the VPN 3000 local
database. You can only fallback using another external database or TACACS
Enter the TACACS+ username and password and click
A successful authentication appears.
If it fails, there is either a configuration problem or an IP
connectivity issue. Check the Failed Attempts Log on the ACS server for
messages related to the failure.
If no messages appear in this log then there is probably an IP
connectivity issue. The TACACS+ request does not reach the TACACS+ server.
Verify the filters applied to the appropriate VPN 3000 Concentrator interface
allows TACACS+ (TCP port 49) packets in and out.
If the failure displays as service denied in the log, then the
Shell (exec) service has not been correctly enabled under the user or group
profile on the TACACS+ server.
If the test authentication is successful, but logins to the VPN
3000 Concentrator continue to fail, check the Filterable Event Log via the
If you see a similar message:
65 02/09/2005 13:14:40.150 SEV=5 AUTH/32 RPT=2
User [ johnsmith ] Protocol [ HTTP ] attempted ADMIN logon.
Status: <REFUSED> authorization failure. NO Admin Rights
This message indicates the privilege level assigned on the TACACS+
server has no matching AAA access level under any of the VPN 3000 Concentrator
users. For example, user johnsmith has a TACACS+ privilege level of 7 on the
TACACS+ server, but none of the five VPN 3000 Concentrator administrators have
an AAA access level of 7.