How to add TACACS+ to your Cisco logins
How to add TACACS+ to your Cisco logins
In the interest of fairness, since I recently blogged about RADIUS authentication, I thought it would be a good idea to talk about TACACS+ as well. You will find that the configuration steps are quite similar, but the resulting functionality with TACACS+ exceeds the capabilities offered by RADIUS. The objective of this blog is not to show all the features that TACACS+ provides, but just to give a few screenshots on basic TACACS+ authentication.
For instructor-led Cisco CCNA Certification training, see our course schedule.
My topology is shown in figure 1:
Here the Cisco device fulfills the role of the client, while I have a Server 2003 box as the authenticating server. Yes I could have built a newer server than 2003, but just to have screen shots of basic authentication did not seem justification enough, since I already had this one.
Let’s see the config on the Cisco device which will cause it to forward authentication attempts:
You will notice that much like the aaa authentication …radius command, I have added the keyword ‘local’ to the end of the command. This important step will allow an authorized user to access the device even if the authenticating server should be unreachable.
Figure 2 shows the minimum aaa commands required to make this function. Now for the tacacs-specific commands:
Figure 3 shows that I have identified the source interface for the TACACS+ requests, and I have identified the destination and key for the requests as well. Figure 1 shows that the 10.5.1.100 address belongs to my authenticating server.
Now to test this. I will attempt to log in to the Cisco device from my Windows 7 client using a valid username/password combination and a reachable authenticating server:
Voila! I have authenticated successfully using TACACS+. Another test that would assuage a network admin’s nerves regarding security is to test authentication with known bad credentials to verify failure. Let’s check:
Failed as expected. The last verification step I will show today is that of using what should be good credentials but the TACACS+ authenticator is unreachable. In that case, the device should fail back to the locally configured user database. Let’s verify this as well. I will disable the network card on my Server 2003 box to cause the TACACS+ requests to be ignored. Watch what happens:
Figure 6 shows successful access to the device, but how do I know that the authenticating server did not provide this access? I ran debug tacacs authentication on my router. Let’s examine the output:
Notice in figure 7 that the client attempted to contact the authenticating server, but the request timed out. Since I had a locally configured username and password that matched my attempt, access was granted.
As mentioned, there is far more that TACACS+ can do for you, right down to controlling a user’s experience by permitting or denying individual commands. That is far deeper than one needs to delve when seeking the CCNA R&S certification, but it never hurts to a least familiarize oneself with the overall concepts.
If you have questions or comments, please feel free to post them!
Until next time….
You May Also Like
Mark Jacob, Cisco Instructor, presents an introduction to Cisco Modeling Labs 2.0 or CML2.0, an upgrade to Cisco’s VIRL Personal Edition. Mark demonstrates Terminal Emulator access to console, as well as console access from within the CML2.0 product. Hello, I’m Mark Jacob, a Cisco Instructor and Network Instructor at Interface Technical Training. I’ve been using … Continue reading A Simple Introduction to Cisco CML2
Video transcription Steve Fullmer: In our Windows training courses, we often share information about the Windows 8.1 Mobility Center. Mobility Center was introduced for mobile and laptop devices in Windows 7. It’s present and somewhat enhanced in Windows 8. Since we don’t have mobile devices in our classrooms, I decided to take a little bit … Continue reading Configuring Windows Mobility Center and How to Turn it On and Off
In this video, Cisco CCNA & CCNP instructor Mark Jacob shows how to troubleshoot OSPF Adjacency issues by showing the distance between routers with the show ip ospf neighbor command.