Search This Blog

Tuesday 8 February 2011

Tacacs Authentication and Authorization

A breakdown of what is required for tacacs user auth on an AAP.

aaa new-model

aaa authentication login LOGIN group tac_users local
aaa authentication enable default group tac_users enable
aaa authorization exec LOGIN group tac_users local

(used LOGIN in this case as there was a requirement to use non default auth list)

aaa group server tacacs+ tac_users server 10.10.210.5

tacacs-server host 10.10.210.5 key 7 08285C4B1109000506

ip http authentication aaa login-authentication LOGINip http authentication aaa exec-authorization LOGIN
(define HTTP authentication lists)

line vty 0 4
 authorization exec LOGIN login authentication LOGIN transport input ssh
(define VTY line attributes)

ACS

Configure NAS
Interface Configuration - Advanced options
Select user options if required
Edit TACACS+,add shell and advanced options
Under User or Group, Set Max privilege to 15, Use Ciscosecure PAP password under enable

Set per user command auth
Permit unmatched in no specific commands required

No comments:

Post a Comment