![]() |
Contents
- Configuring TACACS+
- Information About TACACS+
- TACACS+ Operation for User Login
- Default TACACS+ Server Encryption Type and Preshared Key
- TACACS+ Server Monitoring
- Vendor-Specific Attributes
- Cisco VSA Format
- Prerequisites for TACACS+
- Guidelines and Limitations for TACACS+
- Default Settings for TACACS+
- Configuring TACACS+
- Enabling or Disabling TACACS+
- Configuring Shared Keys
- Configuring a TACACS+ Server Host
- Configuring a TACACS+ Server Group
- Enabling TACACS+ Server Directed Requests
- Setting the TACACS+ Global Timeout Interval
- Setting a Timeout Interval for an Individual TACACS+ Host
- Configuring the TCP Port for a TACACS+ Host
- Configuring Monitoring for a TACACS+ Host
- Configuring the TACACS+ Global Dead-Time Interval
- Displaying Statistics for a TACACS+ Host
- Configuration Example for TACACS+
- Feature History for TACACS+
Configuring TACACS+
This chapter contains the following sections:
- Information About TACACS+
- Prerequisites for TACACS+
- Guidelines and Limitations for TACACS+
- Default Settings for TACACS+
- Configuring TACACS+
- Displaying Statistics for a TACACS+ Host
- Configuration Example for TACACS+
- Feature History for TACACS+
Information About TACACS+
The TACACS+ security protocol provides centralized validation of users who are attempting to gain access to a device. TACACS+ services are maintained in a database on a TACACS+ daemon that is running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your device are available.
TACACS+ provides for separate authentication, authorization, and accounting services. The TACACS+ daemon provides each service independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.
The TACACS+ client/server protocol uses TCP (TCP port 49) for transport requirements. Centralized authentication is provided using the TACACS+ protocol.
- TACACS+ Operation for User Login
- Default TACACS+ Server Encryption Type and Preshared Key
- TACACS+ Server Monitoring
- Vendor-Specific Attributes
TACACS+ Operation for User Login
The following sequence of events take place when you attempt to log in to a TACACS+ server using the Password Authentication Protocol (PAP):
- When a connection is established, the TACACS+ daemon is contacted to obtain the username and password.
Note
TACACS+ allows an arbitrary conversation between the daemon and the user until the daemon receives enough information to authenticate the user. This action is usually done by prompting for a username and password combination, but might include prompts for additional information, such as your mother’s maiden name.- The TACACS+ daemon provides one of the following responses:
If further authorization is required after authentication, the user also undergoes an additional authorization phase. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization.
- ACCEPT—User authentication succeeds and service begins. If user authorization is needed, authorization begins.
- REJECT—User authentication failed. The TACACS+ daemon either denies further access to the user or prompts the user to retry the login sequence.
- ERROR—An error occurred at some time during authentication either at the daemon or in the network connection. If an ERROR response is received, the device tries to use an alternative method for authenticating the user.
- If TACACS+ authorization is required, the TACACS+ daemon is contacted and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes that are used to direct the EXEC or NETWORK session for that user and determines the services that the user can access. Services include the following:
Default TACACS+ Server Encryption Type and Preshared Key
You must configure the TACACS+ preshared key to authenticate to the TACACS+ server. A preshared key is a secret text string shared between the device and the TACACS+ server host. The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global preshared secret key for all TACACS+ server configurations.
You can override the global preshared key assignment by explicitly using the key option when configuring an individual TACACS+ server.
TACACS+ Server Monitoring
Unresponsive TACACS+ servers are marked as dead and are not sent AAA requests. Dead TACACS+ servers are periodically monitored and brought back alive once they respond. This process confirms that a TACACS+ server is in a working state before real AAA requests are sent its way. The following figure shows how a TACACS+ server state change generates a Simple Network Management Protocol (SNMP) trap and an error message showing the failure before it impacts performance.
NoteThe monitoring interval for alive servers and dead servers are different and can be configured by the user. The TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+ server.
Vendor-Specific Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the TACACS+ server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use.
Cisco VSA Format
The Cisco TACACS+ implementation supports one vendor-specific option using the format recommended in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:
protocol : attribute separator value *The protocol is a Cisco attribute for a particular type of authorization. The separator is = (equal sign) for mandatory attributes, and * (asterisk) indicates optional attributes.
When you use TACACS+ servers for authentication, the TACACS+ protocol directs the TACACS+ server to return user attributes, such as authorization information, with authentication results. This authorization information is specified through VSAs.
The following VSA protocol options are supported:
- Shell—Protocol used in access-accept packets to provide user profile information.
- Accounting—Protocol used in accounting-request packets. If a value contains any white spaces, you should enclose the value within double quotation marks.
The following attributes are other supported:
- roles—Lists all the roles to which the user belongs. The value consists of a string that lists the role names delimited by white space. This subattribute, which the TACACS+ server sends in the VSA portion of the Access-Accept frames, can only be used with the shell protocol value.
- accountinginfo—Stores accounting information in addition to the attributes covered by a standard TACACS+ accounting protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the TACACS+ client on the switch. It can be used only with the accounting protocol data units (PDUs).
Configuring TACACS+
- Enabling or Disabling TACACS+
- Configuring Shared Keys
- Configuring a TACACS+ Server Host
- Configuring a TACACS+ Server Group
- Enabling TACACS+ Server Directed Requests
- Setting the TACACS+ Global Timeout Interval
- Setting a Timeout Interval for an Individual TACACS+ Host
- Configuring the TCP Port for a TACACS+ Host
- Configuring Monitoring for a TACACS+ Host
- Configuring the TACACS+ Global Dead-Time Interval
Enabling or Disabling TACACS+
ProcedureBy default, TACACS+ is disabled. You must explicitly enable the TACACS+ feature to access the configuration and verification commands that support TACACS+ authentication.
Caution
When you disable TACACS+, all related configurations are automatically discarded.
Configuring Shared Keys
ProcedureThe following example configures shared keys:
switch# configure terminal switch(config)# tacacs-server key 0 QsEFtkI# switch(config)# exit switch# show tacacs-server Global TACACS+ shared secret:******** timeout value:5 deadtime value:0 total number of servers:1 following TACACS+ servers are configured: 10.10.2.2: available on port:49 switch# copy running-config startup-configConfiguring a TACACS+ Server Host
Procedure
Command or Action Purpose
Step 1 switch# configure terminal Enters global configuration mode.
Step 2 switch(config)# tacacs-server host {ipv4-address | host-name} Configures the server IP address or hostname as a TACACS+ server host.
ipv4-address—The IP address for the TACACS+ server.
hostname—The hostname for the TACACS+ server. The hostname is alphanumeric, case sensitive, and has a maximum of 256 characters.
Step 3 switch(config)# exit Exits global configuration mode and returns you to EXEC mode.
Step 4 switch(config)# show tacacs-server (Optional) Displays the TACACS+ server configuration.
Step 5 switch(config)# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration
The following example configures a TACACS+ server host:
switch# configure terminal switch(config)# tacacs-server host 10.10.2.2 switch(config)# exit switch# show tacacs-server timeout value:5 deadtime value:0 total number of servers:1 following TACACS+ servers are configured: 10.10.2.2: available on port:49 switch# copy running-config startup-configConfiguring a TACACS+ Server Group
ProcedureYou can configure a TACACS+ server group whose member servers share authentication functions.
After you configure the TACACS+ server group, the server members are tried in the same order in which you configured them.
A TACACS+ server group can provide a failover if one server fails to respond. If the first server in the group fails, the next server in the group is tried until a server responds. Multiple server groups can provide failovers for each other in this same way.
Command or Action Purpose
Step 1 switch# configure terminal Enters global configuration mode.
Step 2 switch(config)# aaa group server tacacs+ group-name Creates a TACACS+ server group with the specified name and places you into the TACACS+ configuration mode for that group.
group-name—The name of the TACACS+ server group.
Step 3 switch(config-tacacs+)# server {ipv4-address | hostname} Configures the TACACS+ server hostname or IP address as a member of the TACACS+ server group.
ipv4-address—The IP address for the TACACS+ server.
hostname—The hostname for the TACACS+ server. The hostname is alphanumeric, case sensitive, and has a maximum of 256 characters.
Note If the specified TACACS+ server is not found, configure it using the tacacs-server host command and retry this command.
Step 4 switch(config-tacacs+)# deadtime minutes (Optional) Configures the monitoring dead time for this TACACS+ group.
minutes—The dead time, in minutes. The range is from 0 to 1440 minutes. The default value is 0 minutes.
Note If the dead time interval for a TACACS+ server group is greater than zero (0), that value takes precedence over the global dead-time value.
Step 5 switch(config-tacacs+)# use-vrf vrf-name (Optional) Specifies the virtual routing and forwarding (VRF) instance to use to contact this server group.
vrf-name—The name of the VRF instance.
Step 6 switch(config-tacacs+)# source-interface {interface-type} {interface-number} (Optional) Specifies a source interface to be used to reach the TACACS+ server.
Step 7 switch(config-tacacs+)# show tacacs-server groups (Optional) Displays the TACACS+ server group configuration.
Step 8 switch(config-tacacs+)# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration.
The following example configures a TACACS+ server group:
switch# configure terminal switch(config)# aaa group server tacacs+ TacServer switch(config-tacacs+)# server 10.10.2.2 switch(config-tacacs+)# deadtime 30 switch(config-tacacs+)# use-vrf management switch(config-tacacs+)# source-interface mgmt0 switch(config-tacacs+)# show tacacs-server groups total number of groups:1 following TACACS+ server groups are configured: group TacServer: server 10.10.2.2 on port 49 deadtime is 30 vrf is management switch# copy running-config startup-configEnabling TACACS+ Server Directed Requests
ProcedureYou can designate the TACACS+ server to receive authentication requests. This is called a directed-request.
When directed requests are enabled, the user can log in as username@vrfname:hostname, where vrfname is the VRF to use and hostname is the name of a configured TACACS+ server.
Note
User-specified logins are supported only for Telnet sessions.
Command or Action Purpose
Step 1 switch# configure terminal Enters global configuration mode.
Step 2 switch(config)# tacacs-server directed-request Enables use of directed requests for specifying the TACACS+ server to send an authentication request to when logging in. The default is disabled.
Step 3 switch(config)# exit Exits the global configuration mode and returns you to EXEC mode.
Step 4 switch(config)# show tacacs-server directed-request (Optional) Displays the TACACS+ directed request configuration.
Step 5 switch(config)# copy running-config startup-config Copies the running configuration to the startup configuration.
Setting the TACACS+ Global Timeout Interval
ProcedureYou can set the interval in seconds that the Cisco Nexus 1000V waits for a response from any TACACS+ server before declaring a timeout.
The timeout specified for an individual TACACS+ server overrides the global timeout interval.
Command or Action Purpose
Step 1 switch# configure terminal Enters global configuration mode.
Step 2 switch(config)# tacacs-server timeout seconds Specifies the interval in seconds that the Cisco Nexus 1000V waits for a response from a server.
seconds—The timeout interval, in seconds. The range is from 1 to 60 seconds. The default value is 5 seconds.
Step 3 switch(confi)# exit Exits global configuration mode and returns you to EXEC mode.
Step 4 switch(config)# show tacacs-server (Optional) Displays the TACACS+ server configuration.
Step 5 switch(confi)# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration.
The following example sets the TACACS+ global timeout interval:
switch# configure terminal switch(config)# tacacs-server timeout 10 switch(config)# exit switch# n1000v# show tacacs-server Global TACACS+ shared secret:******** timeout value:10 deadtime value:0 total number of servers:1 following TACACS+ servers are configured: 10.10.2.2: available on port:49 switch# copy running-config startup-configSetting a Timeout Interval for an Individual TACACS+ Host
ProcedureYou can set the interval in seconds that the Cisco Nexus 1000V waits for a response from a specific TACACS+ server before declaring a timeout. This setting is configured per TACACS+ host.
The timeout setting for an individual TACACS+ server overrides the global timeout interval.
Command or Action Purpose
Step 1 switch# configure terminal Enters global configuration mode.
Step 2 switch(config)# tacacs-server host {ipv4-address | hostname} timeout seconds Specifies the timeout interval for a specific server.
ipv4-address—The IP address for the TACACS+ server.
hostname—The hostname for the TACACS+ server. The hostname is alphanumeric, case sensitive, and has a maximum of 256 characters.
seconds—The timeout interval, in seconds. The range is from 1 to 60 seconds. The default value is the global timeout interval.
Step 3 switch(config)# exit Exits global configuration mode and returns you to EXEC mode.
Step 4 switch(config)# show tacacs-server (Optional) Displays the TACACS+ server configuration.
Step 5 switch(config)# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration.
The following example sets a timeout interval for an individual TACACS+ host:
switch# config terminal switch(config)# tacacs-server host 10.10.2.2 timeout 10 switch(config)# exit switch# n1000v# show tacacs-server Global TACACS+ shared secret:******** timeout value:10 deadtime value:0 total number of servers:1 following TACACS+ servers are configured: 10.10.2.2: available on port:49 timeout:10 switch# copy running-config startup-configConfiguring the TCP Port for a TACACS+ Host
Procedure
Command or Action Purpose
Step 1 switch# configure terminal Enters global configuration mode.
Step 2 switch(config)# tacacs-server host {ipv4-address | host-name} port tcp-port Specifies the TCP port to use.
ipv4-address—The IP address for the TACACS+ server.
hostname—The hostname for the TACACS+ server. The hostname is alphanumeric, case sensitive, and has a maximum of 256 characters.
tcp-port—The TCP port. The range is from 1 to 65535. The default value is 49.
Step 3 switch(config)# exit Exits global configuration mode and returns you to EXEC mode.
Step 4 switch(config)# show tacacs-server (Optional) Displays the TACACS+ server configuration.
Step 5 switch(config)# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration.
The following example configures the TCP port for a TACACS+ host:
switch# configure terminal switch(config)# tacacs-server host 10.10.2.2 port 2 switch(config)# exit switch# show tacacs-server Global TACACS+ shared secret:******** timeout value:10 deadtime value:0 total number of servers:1 following TACACS+ servers are configured: 10.10.2.2: available on port:2 timeout:10 switch# copy running-config startup-configConfiguring Monitoring for a TACACS+ Host
Before You BeginProcedure
- Log in to the CLI in EXEC mode.
- Enable TACACS+ for authentication.
- Configure the TACACS+ server.
- Know that the idle timer specifies how long a TACACS+ server should remain idle (receiving no requests) before sending it a test packet.
- Know that the default idle timer value is 0 minutes. When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not done.
Command or Action Purpose
Step 1 switch# configure terminal Enters global configuration mode.
Step 2 switch(config)# tacacs-server host {ipv4-address | host-name} test {idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes] ] } Configures server monitoring.
ipv4-address—The IP address for the TACACS+ server.
hostname—The hostname for the TACACS+ server. The hostname is alphanumeric, case sensitive, and has a maximum of 256 characters.
minutes—The idle time interval, in minutes. The range is from 0 to 1440 minutes. The default value is 0 minutes. For periodic TACACS+ server monitoring, the idle timer value must be greater than 0.
password—The user's password. The default value is test.
name—The username to use when connecting to the TACACS+ server. The default value is test. To protect network security, we recommend that you assign a username that is not already in the TACACS+ database.
Step 3 switch(config)# tacacs-server dead-time minutes Specifies the duration of time in minutes before checking a TACACS+ server that was previously unresponsive.
minutes—The dead time interval, in minutes. The range is from 0 to 1440 minutes. The default value is 0 minutes.
Step 4 switch(config)# exit Exits global configuration mode and returns you to EXEC mode.
Step 5 switch(config)# show tacacs-server (Optional) Displays the TACACS+ server configuration.
Step 6 switch(config)# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration.
The following example configures monitoring for a TACACS+ host:
switch# configure terminal switch(config)# tacacs-server host 10.10.2.2 test username pvk2 password a3z9yjqz7 idle-time 3 switch(config)# tacacs-server dead-time 5 switch(config)# exit switch# show tacacs-server Global TACACS+ shared secret:******** timeout value:10 deadtime value:5 total number of servers:1 following TACACS+ servers are configured: 10.10.2.2: available on port:2 timeout:10 switch# copy running-config startup-configConfiguring the TACACS+ Global Dead-Time Interval
ProcedureYou can configure the interval to wait before sending a test packet to a previously unresponsive server.
When the dead-timer interval is 0 minutes, TACACS+ servers are not marked as dead even if they are not responding. You can configure the dead time per group.
Command or Action Purpose
Step 1 switch# configure terminal Enters global configuration mode.
Step 2 switch(config)# tacacs-server deadtime minutes Configures the global dead-time interval.
minutes—The dead-time interval, in minutes. The range is from 0 to 1440 minutes. The default value is 0 minutes.
Step 3 switch(config)# exit Exits global configuration mode and returns you to EXEC mode.
Step 4 switch(config)# show tacacs-server (Optional) Displays the TACACS+ server configuration.
Step 5 switch(config)# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration.
The following example configures the TACACS+ global dead-time interval:
switch# configure terminal switch(config)# tacacs-server deadtime 5 switch(config)# exit switch# show tacacs-server Global TACACS+ shared secret:******** timeout value:10 deadtime value:5 total number of servers:1 following TACACS+ servers are configured: 10.10.2.2: available on port:2 timeout:10 switch# copy running-config startup-configDisplaying Statistics for a TACACS+ Host
Use the following command to display statistics for a TACACS+ host:
Command
Description
show tacacs-server statistics {hostname | ipv4-address}
Displays the statistics for a TACACS+ host.
hostname—The hostname for the TACACS+ server. The hostname is alphanumeric, case sensitive, and has a maximum of 256 characters.
ipv4-address—The IP address for the TACACS+ server.
Configuration Example for TACACS+
The following example configures a TACACS+ server:
switch# configure terminal switch(config)# feature tacacs+ switch(config-tacacs+)# tacacs-server key 7 "ToIkLhPpG" switch(config-tacacs+)# tacacs-server host 10.10.2.2 key 7 "ShMoMhTl" switch(config-tacacs+)# aaa group server tacacs+ TacServer server 10.10.2.2