The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure the Terminal Access Controller Access Control System Plus (TACACS+) protocol on the Cisco 1000 Series Connected Grid Routers (hereafter referred to as
Cisco CG-OS router).
The TACACS+ security protocol provides centralized validation of users attempting to gain access to the Cisco CG-OS router. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before you can configure and employ the TACACS+ features on your
Cisco CG-OS router.
TACACS+ provides for separate authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.
The TACACS+ client/server protocol uses TCP (TCP port 49) for transport requirements.
The Cisco CG-OS router provides centralized authentication using the TACACS+ protocol.
This section includes the following topics:
TACACS+ has the following advantages over RADIUS authentication:
When a user attempts a Password Authentication Protocol (PAP) login to a Cisco CG-OS router using TACACS+, the following actions occur:
1. When the Cisco CG-OS router establishes a connection, it contacts the TACACS+ daemon to obtain the username and password.
Note TACACS+ allows an arbitrary conversation between the daemon and the user until the daemon receives enough information to authenticate the user. This action is usually done by prompting for a username and password combination, but may include prompts for other items, such as the maiden name of your mother.
2. The Cisco CG-OS router will eventually receive one of the following responses from the TACACS+ daemon:
a. ACCEPT—User authentication succeeds and service begins. When the Cisco CG-OS router requires user authorization, authorization begins.
b. REJECT—User authentication fails. The TACACS+ daemon either denies further access to the user or prompts the user to retry the login sequence.
c. ERROR—An error occurs at some time during authentication either at the daemon or in the network connection between the daemon and the Cisco CG-OS router. When the
Cisco CG-OS router receives an ERROR response, the Cisco CG-OS router tries to use an alternative method for authenticating the user.
After authentication, the user also undergoes an additional authorization phase when authorization is enabled on the Cisco CG-OS router. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization.
3. If TACACS+ authorization is required, the Cisco CG-OS router again contacts the TACACS+ daemon and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes that are used to direct the EXEC or NETWORK session for that user and determines the services that the user can access.
You must configure the TACACS+ secret key to authenticate the Cisco CG-OS router to the TACACS+ server. A secret key is a secret text string shared between the Cisco CG-OS router and the TACACS+ server host. The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global secret key for all TACACS+ server configurations on the Cisco CG-OS router to use.
You can override the global secret key assignment by explicitly using the key option when configuring an individual TACACS+ server.
An unresponsive TACACS+ server can delay the processing of AAA requests.
A Cisco CG-OS router periodically monitors a TACACS+ server to check whether it is responding (or alive) to save time in processing AAA requests. The router marks an unresponsive TACACS+ server as dead and does not continue to send AAA requests to that dead TACACS+ server.
A Cisco CG-OS router periodically monitors dead TACACS+ servers and brings them to the alive state once they are responding. Continual monitoring ensures that a TACACS+ server is in a working state before it receives real AAA requests. Whenever an TACACS+ server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco CG-OS router displays an error message that a failure is taking place before it can impact performance. (See Figure 3-1.)
Figure 3-1 TACACS+ Server States
Note The Cisco CG-OS router initiates TACACS+ server monitoring by sending a test authentication request to the TACACS+ server.
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the TACACS+ server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use.
The Cisco TACACS+ implementation supports one vendor-specific option using the format recommended in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:
The protocol is a Cisco attribute for a particular type of authorization, separator is an equal sign (=) for mandatory attributes, and an asterisk (
*
) indicates optional attributes.
When you use TACACS+ servers for authentication on a Cisco CG-OS router, the TACACS+ protocol directs the TACACS+ server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs.
The Cisco CG-OS software supports the following VSA protocol options:
The Cisco CG-OS software supports the following attributes:
Note When you specify a VSA as shell:roles*“network-operator vdc-admin”, this VSA is flagged as an optional attribute and other Cisco devices ignore this attribute.
TACACS+ servers support privilege levels for specifying the permissions that users have when logging onto a Cisco CG-OS router. For the maximum privilege level 15, the Cisco CG-OS software applies the network-admin role in the default VDC or the vdc-admin role for non-default VDCs. All other privilege levels are translated to the vdc-operator role. For more information on user roles, see Chapter7, “Configuring User Accounts and RBAC”
Note When you specify a user role in the cisco-av-pair, that takes precedence over the privilege level.
Note Although references to a default VDC might be seen in CLI displays, the Cisco CG-OS router does not support the configuration of more than one VDC. The Cisco CG-OS router only supports a default VDC.
Obtain the IPv4 or IPv6 addresses or hostnames for the TACACS+ servers.
Obtain the secret keys from the TACACS+ servers, if any.
Ensure that the Cisco CG-OS router is recognized as a TACACS+ client on the AAA servers.
Configure a maximum of 64 TACACS+ servers on the Cisco CG-OS router.
When you have a user account configured on the local Cisco CG-OS router that has the same name as a remote user account on an AAA server, the Cisco CG-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
Table 3-1 lists the default settings for TACACS+ parameters.
This section includes the following topics:
To configure TACACS+ servers, follow these steps:
Step 2 Establish the TACACS+ server connections to the Cisco CG-OS router. (See Configuring TACACS+ Server Hosts.)
Step 3 Configure the secret keys for the TACACS+ servers. (See Configuring Global TACACS+ Keys and Configuring a Key for a Specific TACACS+ Server.)
Step 4 When needed, configure TACACS+ server groups with subsets of the TACACS+ servers for AAA authentication methods. (See Configuring TACACS+ Server Groups and Configuring AAA.)
Step 5 When needed, configure any of the following optional parameters:
Step 6 When needed, configure periodic TACACS+ server monitoring. (See Configuring Periodic TACACS+ Server Monitoring.)
By default, the TACACS+ feature is disabled on the Cisco CG-OS router. You must enable the TACACS+ feature to access the configuration and verification commands for authentication.
This example shows how to enable the TACACS+ feature on the Cisco CG-OS router before configuring commands that support authentication.
To access a remote TACACS+ server, you must configure the IP address or the hostname for the TACACS+ server on the Cisco CG-OS router. You can configure up to 64 TACACS+ servers.
Note By default, when you configure a TACACS+ server IP address or hostname on the Cisco CG-OS router, the TACACS+ server is added to the default TACACS+ server group. You can also add the TACACS+ server to another TACACS+ server group. For information about creating TACACS+ server groups, see Configuring TACACS+ Server Groups).
Enable TACACS+. (See Enabling TACACS+.)
Obtain the IPv4 or IPv6 addresses or the hostnames for the remote TACACS+ servers.
This example shows how to configure an IP address for the TACACS+ server on the
Cisco CG-OS router.
You can configure secret TACACS+ keys at the global level for all servers used by the Cisco CG-OS router. A secret key is a secret text string shared between the Cisco CG-OS router and the TACACS+ server hosts.
Enable TACACS+. (See Enabling TACACS+.)
Obtain the secret key values for the remote TACACS+ servers.
You can configure secret keys for a TACACS+ server. A secret key is a shared secret text string between the Cisco CG-OS router and the TACACS+ server host to allow secure communication.
Enable TACACS+. (See Enabling TACACS+.)
Obtain the secret key values for the remote TACACS+ servers.
You can specify one or more remote AAA servers to authenticate users using server groups. All members of a group must use the TACACS+ protocol. The Cisco CG-OS router attempts access to the servers in the same order in which you configure them.
You can configure these server groups at any time but they only take effect when you apply them to an AAA service. For information on AAA services, see Remote AAA Services.
Enable TACACS+. (See Enabling TACACS+.)
Creates a TACACS+ server group and enters the TACACS+ server group configuration mode for that group. |
||
Configures the TACACS+ server as a member of the TACACS+ server group. |
||
Configures the monitoring dead time. The range is from 1 through 1440. The default is 0 minutes. Note The recommended value is one (1) minute. Note When the dead-time interval for a TACACS+ server group is greater than zero (0), that value takes precedence over the global dead-time value. (See Configuring the Dead-Time Interval.) |
||
(Optional) Configures a source interface to access the TACACS+ servers in the server group. You can use Ethernet interfaces, loopback interfaces, or the management interface (mgmt 0). The default is the global source interface. |
||
(Optional) Copies the running configuration to the startup configuration. |
You can configure a global source interface for TACACS+ server groups to use when accessing TACACS+ servers. To configure a different source interface for a specific TACACS+ server group, see Configuring TACACS+ Server Groups. By default, the Cisco CG-OS software uses any available interface.
Enable TACACS+. (See Enabling TACACS+.)
You can set a global timeout interval for all TACACS+ servers. The timeout interval determines how long the Cisco CG-OS router waits for responses from TACACS+ servers before declaring a timeout failure.
Enable TACACS+. (See Enabling TACACS+.)
This example shows how to configure a global TACACS+ timeout interval for the Cisco CG-OS router.
The timeout interval determines how long the Cisco CG-OS router waits for responses from a TACACS+ server before declaring a timeout failure.
Enable TACACS+. (See Enabling TACACS+.)
You can configure another TCP port for the TACACS+ servers if there are conflicts with another application. By default, the Cisco CG-OS router uses port 49 for all TACACS+ requests.
Enable TACACS+. (See Enabling TACACS+.)
You can monitor the availability of TACACS+ servers. The monitoring parameters include the username and password to use for the server and an idle timer. The idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco CG-OS router sends out a test packet. You can configure this option to test servers periodically, or you can run a one-time only test.
Note To protect network security, Cisco recommends that you use a username that is not the same as an existing username in the TACACS+ database.
Note The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, the Cisco CG-OS router does not perform periodic TACACS+ server monitoring.
Enable TACACS+. (See Enabling TACACS+.)
This example shows how to configure a dead time interval to monitor the availability of a TACACS+ server and how to configure a unique monitoring username and password.
You can configure a global dead-time interval for all TACACS+ servers. The dead-time interval specifies the time that the Cisco CG-OS router waits, after declaring a TACACS+ server is dead, before sending out a test packet to determine if the server is now alive.
Note When the dead timer interval is 0 minutes, TACACS+ servers are not marked as dead even if they are not responding. You can configure the dead-timer per server group. (See Configuring TACACS+ Server Groups.)
Enable TACACS+. (See Enabling TACACS+.)
This example shows how to deliver a global deadtime interval that applies to all TACACS+ servers.
You can enable ASCII authentication on the TACACS+ server.
Note Only TACACS+ servers support ASCII authentication.
Enable TACACS+. (See Enabling TACACS+.)
You can manually issue a test message to a TACACS+ server or to a server group.
Enable TACACS+. (See Enabling TACACS+.)
This example shows how to configure a command to send a manual test of a TACACS+ server.
This example shows how to configure a command to send a manual test of a TACACS+ server group.
Ensure that an alternate TACACS+ server resource is available for those devices that are authenticated by the server before it is taken out of service.
You can display the statistics that the Cisco CG-OS router maintains for TACACS+ activity by using the command in the table below.
Enable TACACS+. (See Enabling TACACS+.)
To display TACACS+ configuration information, enter any or all of the following commands:
You can now configure AAA authentication methods to include the TACACS+ server groups. (See Chapter 4, “Configuring AAA”.)