Table Of Contents
Enabling Authentication for Login
Specifying TACACS+ Authorization for EXEC Access and Network Services
Establishing the TACACS+ Server Host
Configuring a Switch for Local AAA Configuration
Configuring TACACS+
This chapter describes the Terminal Access Controller Access Control System Plus (TACACS+), a Cisco proprietary version of TACACS.
Note
STP UplinkFast has also been added for this release, and it is documented in the "Enabling STP UplinkFast" section.
TACACS+ provides the means to manage network security (authentication, authorization, and accounting [AAA]) from a server. This section describes how TACACS+ works and how you can configure it. For complete syntax and usage information for the commands described in this chapter, refer to the Cisco IOS Desktop Switching Command Reference or to the "Security" chapter of the Cisco IOS 11.3 Command Summary.
These sections describe how to configure TACACS+:
•
How TACACS+ Works
In large enterprise networks, the task of administering passwords on each device can be simplified by doing the user authentication centrally on a server. TACACS+ is an access-control protocol that allows a switch to authenticate all login attempts through a central authentication server. The network administrator configures the switch with the address of the TACACS+ server, and the switch and the server exchange messages to authenticate each user before allowing access to the management console.
TACACS+ consists of three services: authentication, authorization, and accounting. Authentication is the action of determining who the user is and whether he or she is allowed access to the switch. Authorization is the action of determining what the user is allowed to do on the system. Accounting is the action of collecting data related to resource usage.
Configuring TACACS+
The TACACS+ feature is disabled by default. However, you can enable and configure it using the command-line interface (CLI). You can access the CLI through the console port or via Telnet. In order to prevent a lapse in security, you cannot configure TACACS+ through a network-management application. When enabled, TACACS+ can authenticate users accessing the switch through either the console or Telnet.
The following sections describe how to configure the primary features of AAA/TACACS+:
•
•
•
•
Note
Enabling AAA/TACACS+
Use the aaa new-model command to enable AAA/TACACS+. Enter the following commands in global configuration mode:
Enabling Authentication for Login
Using the aaa authentication login command and the following keywords, you create one or more lists of authentication methods that are tried at login. The lists are used with the login authentication line configuration command.
Enter the following command in global configuration mode to enable authentication for login:
Switch# aaa authentication login {default | list-name} method1 [...[method3]]The keyword list-name is any character string used to name the list you are creating. The method keyword refers to the actual method the authentication algorithm tries, in the sequence entered. You can enter up to three methods:
line
Uses the line password for authentication.
local
Uses the local username database for authentication.
tacacs+
Uses TACACS+ authentication.
To create a default list that is used if no list is specified in the login authentication command, use the default argument followed by the methods you want used in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication succeed even if all methods return an error, specify none as the final method in the command line.
Specifying TACACS+ Authorization for EXEC Access and Network Services
You can use the aaa authorization command with the tacacs+ keyword to set parameters that restrict a user's network access to Cisco IOS privilege mode (EXEC access) and to network services such as Serial Line Internet Protocol (SLIP), Point to Point Protocol (PPP) with Network Control Protocols (NCPs), and AppleTalk Remote Access (ARA).
The aaa authorization exec tacacs+ local command sets the following authorization parameters:
•
•
Note
To specify TACACS+ authorization for EXEC access and network services, perform the following tasks in global configuration mode:
Starting TACACS+ Accounting
You use the aaa accounting command with the tacacs+ keyword to turn on TACACS+ accounting for each Cisco IOS privilege level and for network services.
To use TACACS+ accounting to send a start-record accounting notice at the beginning of an EXEC process and a stop-record at the end, enter the following command in global configuration mode:
Switch# aaa accounting exec start-stop tacacs+To use TACACS+ to account for all network-related service requests, including SLIP, PPP, and PPP NCPs, perform the following task in global configuration mode:
Switch# aaa accounting network start-stop tacacs+
Note
Establishing the TACACS+ Server Host
Use the tacacs-server host command to specify the names of the IP host or hosts maintaining a AAA/TACACS+ server. On TACACS+ servers, you can configure the following additional options:
•
•
•
You can use the tacacs-server retransmit command to change the number of times the system software searches the list of TACACS servers (the default is two) and the interval it waits for a reply (the default is 5 seconds).
Perform the following tasks in global configuration mode:
Configuring a Switch for Local AAA Configuration
You can configure AAA to operate without a server by setting the switch to implement AAA in local mode. Authentication and authorization are then handled by the switch. No accounting is available in this configuration.
Perform the following tasks in global configuration mode:
