The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure TACACS+ servers used in AAA and includes the following sections:
The ASA supports TACACS+ server authentication with the following protocols: ASCII, PAP, CHAP, and MS-CHAPv1.
The ASA provides support for TACACS+ attributes. TACACS+ attributes separate the functions of authentication, authorization, and accounting. The protocol supports two types of attributes: mandatory and optional. Both the server and client must understand a mandatory attribute, and the mandatory attribute must be applied to the user. An optional attribute may or may not be understood or used.
Note To use TACACS+ attributes, make sure that you have enabled AAA services on the NAS.
Table 36-1 lists supported TACACS+ authorization response attributes for cut-through-proxy connections. Table 36-2 lists supported TACACS+ accounting attributes.
|
|
---|---|
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Supported in routed and transparent firewall mode.
This section includes the following topics:
Step 1 Add a TACACS+ server group. See Configuring TACACS+ Server Groups.
Step 2 For a server group, add a server to the group. See Adding a TACACS+ Server to a Group.
Step 3 (Optional) Specify text to display to the user during the AAA authentication challenge process. See Adding an Authentication Prompt.
If you want to use a TACACS+ server for authentication, authorization, or accounting, you must first create at least one TACACS+ server group and add one or more servers to each group. You identify TACACS+ server groups by name.
Step 1 Choose Configuration > Device Management > Users/AAA > AAA Server Groups.
Step 2 In the AAA Server Groups area, click Add.
The Add AAA Server Group dialog box appears.
Step 3 In the Server Group field, enter a name for the group.
Step 4 From the Protocol drop-down list, choose the TACACS+ server type:
Step 5 In the Accounting Mode field, click Simultaneous or Single.
In Single mode, the ASA sends accounting data to only one server.
In Simultaneous mode, the ASA sends accounting data to all servers in the group.
Step 6 In the Reactivation Mode field, click Depletion or Timed.
In Depletion mode, failed servers are reactivated only after all of the servers in the group are inactive.
In Timed mode, failed servers are reactivated after 30 seconds of down time.
Step 7 If you chose the Depletion reactivation mode, enter a time interval in the Dead Time field.
The Dead Time is the duration of time, in minutes, that elapses between the disabling of the last server in a group and the subsequent re-enabling of all servers.
Step 8 In the Max Failed Attempts field, add the number of failed attempts allowed.
This option sets the number of failed connection attempts allowed before declaring a nonresponsive server to be inactive.
The Add AAA Server Group dialog box closes, and the new server group is added to the AAA Server Groups table.
Step 10 In the AAA Server Groups dialog box, click Apply to save the changes to the running configuration.
To add a TACACS+ server to a group, perform the following steps:
Step 1 Choose Configuration > Device Management > Users/AAA > AAA Server Groups, and in the AAA Server Groups area, click the server group to which you want to add a server.
The row is highlighted in the table.
Step 2 In the Servers in the Selected Group area (lower pane), click Add.
The Add AAA Server Group dialog box appears for the server group.
Step 3 From the Interface Name drop-down list, choose the interface name on which the authentication server resides.
Step 4 In the Server Name or IP Address field, add either a server name or IP address for the server that you are adding to the group.
Step 5 In the Timeout field, either add a timeout value or keep the default. The timeout is the duration of time, in seconds, that the ASA waits for a response from the primary server before sending the request to the backup server.
Step 6 Specify the server port. The server port is either port number 139, or the TCP port number used by the ASA to communicate with the TACACS+ server.
Step 7 Specify the server secret key. The shared secret key used to authenticate the TACACS+ server to the ASA. The server secret that you configure here should match the one that is configured on the TACACS+ server. If you do not know the server secret, ask the TACACS+ server administrator. The maximum field length is 64 characters.
The Add AAA Server Group dialog box closes, and the AAA server is added to the AAA server group.
Step 9 In the AAA Server Groups pane, click Apply to save the changes to the running configuration.
You can specify text to display to the user during the AAA authentication challenge process. You can specify the AAA challenge text for HTTP, FTP, and Telnet access through the ASA when requiring user authentication from TACACS+ servers. This text is primarily for cosmetic purposes and appears above the username and password prompts that users see when they log in.
If you do not specify an authentication prompt, users see the following when authenticating with a TACACS+ server:
|
|
---|---|
To add an authentication prompt, perform the following steps:
Step 1 Choose Configuration > Device Management > Users/AAA > Authentication Prompt.
Step 2 Enter text in the Prompt field to add as a message to appear above the username and password prompts that users see when they log in.
The following table shows the allowed character limits for authentication prompts:
|
|
---|---|
Step 3 In the Messages area, add messages in the User accepted message and User rejected message fields.
If the user authentication occurs from Telnet, you can use the User accepted message and User rejected message options to display different status prompts to indicate that the authentication attempt is accepted or rejected by the AAA server.
If the AAA server authenticates the user, the ASA displays the User accepted message text, if specified, to the user; otherwise, the ASA displays the User rejected message text, if specified. Authentication of HTTP and FTP sessions displays only the challenge text at the prompt. The User accepted message and User rejected message text are not displayed.
Step 4 Click Apply to save the changes to the running configuration.
To determine whether the ASA can contact a TACACS+ server and authenticate or authorize a user, perform the following steps:
Step 1 From the Configuration > Device Management > Users/AAA > AAA Server Groups > AAA Server Groups table, click the server group in which the server resides.
The row is highlighted in the table.
Step 2 From the Servers in the Selected Group table, click the server that you want to test.
The row is highlighted in the table.
The Test AAA Server dialog box appears for the selected server.
Step 4 Click the type of test that you want to perform— Authentication or Authorization.
Step 5 In the Username field, enter a username.
Step 6 If you are testing authentication, in the Password field, enter the password for the username.
The ASA sends an authentication or authorization test message to the server. If the test fails, ASDM displays an error message.
To monitor TACACS+ servers, see the following panes:
|
|
Table 36-3 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.