Sunday, February 8, 2015

Basic Cisco Tacacs+ Configuration With Free Tacacs+ Software for Windows - Part 1

Both RADIUS and TACACS+ provides centralized validation of users attempting to gain access to a both protocols supported network devices, which provides Authentication, Authorization, and Accounting (AAA) services on network devices.

RADIUS stands for Remote Access Dial-In User Service, and TACACS+ stands for Terminal Access Controller Access Control Service Plus. The primary functional difference between RADIUS and TACACS+ is that TACACS+ separates out the Authorization functionality, where RADIUS combines both Authentication and Authorization. RADIUS was designed for subscriber AAA, and TACACS+ is designed for administrator AAA. RADIUS can still be used for small network administrator AAA, but only if authorization is not required, or if it is a homogeneous network (all one vendor). In any scenario where there is a heterogeneous environment or authorization policies are required for network devices, TACACS+ is the best option.

The following figure and table show their difference more instinctively:

This post and next one will show the basic Tacacs+ configuration steps on a cisco 2960 switch to work with Free Tacacs+ Software for Windows from tacacs.net:


1. Software Installation and Verify Configuration

1.1 Download Software

Please download Version 1.3.2, which is from their website http://www.tacacs.net/

1.2 Installation

Double click downloaded file TACACSSetup_v1.3.2.zip and simply click next to follow the wizard to complete the installation.


After installation, TACACS.net service will automatically start. Localhost (127.0.0.1) and RFC 1918 IP address ranges (172.16.0.0/12, 192.168.0.0/16, 10.0.0.0/8) are already added as clients by default. Any user in the Administrators group on the local machine will be authorized as the fallback method.

1.3 Configuration Tacacs+ server

The wizard will install the configuration and log files to different locations depending on your OS. Start Menu TACACS.net program group has a configuration shortcut to point to the configuration folder. In my case, all configuration files was installed at this directory: C:\ProgramData\TACACS.net\config

Check tacplus.xml to make sure server ip is not 127.0.0.1.

You do not need to restart/reload the server when you modify the configuration files. The server
monitors for changes to the configuration files and reloads them automatically.

1.4 Verify Tacacs service

telnet 127.0.0.1 49
tactest -s 10.94.200.14 -u test1 -p test1
(test1 is the local administrator account in my Tacacs windows server)

2. Configure Cisco Switch to Use Tacacs server

Router(config)# aaa new-model
Router(config)# tacacs-server host 10.94.200.14 key mysharedsecret
Router(config)# aaa authentication login default group tacacs+ local
Router(config)# aaa authorization exec default group tacacs+ local
Router(config)# line console 0
Router(config-line)# login authentication default
Router(config)# line vty 0 15
Router(config-line)# login authentication default
Based on above configuration steps 1 and step 2, the switch will be authenticated with Tacacs server's account in the local administrators group.

Notes:

Fallback group includes all local administrators on the server. It should be commented out before it is deployed in production.


Reference:






No comments:

Post a Comment