Let’s connect our Cisco switch with our Debian 8 tacacs+ server
The first step is to connect to the ASA device and gain privilege exec access.
Th global configuration mode is needed and can be obtained using “configure terminal”.
From global configuration mode the rest of the commands to setup TACACS+ will be issued.
# configure terminal
Create a backup account to gain access to the device in the event that the TACACS+ system is unavailable.
# username backup.account privilege 15 password secret_password_here
The next step is to specify all of the server information and key.
tacacs-server host <server_ip>
tacacs-server key secret_TACACS+_key_here
Setup the AAA information that the TACACS+ server will handle.
Below is a list of the commands:
# aaa new-model
# aaa authentication login default group tacacs+ local none
# aaa authorization exec default group tacacs+ local none
# aaa authorization commands 0 default group tacacs+ local none
# aaa authorization commands 15 default group tacacs+ local none
# aaa accounting exec default start-stop group tacacs+
# aaa accounting commands 0 default start-stop group tacacs+
# aaa accounting commands 15 default start-stop group tacacs+
Explanation about the commands used above:
- The first stanza creates a AAA model.
- The second line is used to tell the switch/router that it should check all login attempts against the TACACS+ server first and if the server isn’t available check the locally configured user database.
- The authorization lines tell the network device to contact the TACACS+ server to determine if the user is allowed to run particular commands at that particular privilege level.
- The accounting lines tell the network device to log activity to the TACACS+ server.
Now you should be able to configure your network device for SSH access, using the following commands:
# ip domain-name <some.domain.name>
# crypto key generate rsa - This will prompt the user for the key size, set this to a number larger than 2048
# line vty 0 15
# transport input ssh
Depending of your CISCO machine (it could be one of those without SSH support), you may use different instructions for connecting that device to a TACACS+ server.
To test it log completely out of the switch and then attempt to SSH into the switch using the username configured earlier on the TACACS+ server.
On Linux systems, this can be done via the command:
# ssh <tacacs_username>@<server_ip>
If access is granted to the switch/router, congratulations!
Your TACACS+ server is working just fine.
- You should read the full documentation on tac_plus and fine tune the setup, the password, the encryption method … etc.
- Keep in mind this is a simple setup. You can do much more if the system is correctly understood.