The first step is to connect to the ASA device and gain privilege exec access.
Th global configuration mode is needed and can be obtained using “configure terminal”.
From global configuration mode the rest of the commands to setup TACACS+ will be issued.
# configure terminal
Create a backup account to gain access to the device in the event that the TACACS+ system is unavailable.
# username backup.account privilege 15 password secret_password_here
The next step is to specify all of the server information and key.
tacacs-server host <server_ip> tacacs-server key secret_TACACS+_key_here
Setup the AAA information that the TACACS+ server will handle.
Below is a list of the commands:
# aaa new-model # aaa authentication login default group tacacs+ local none # aaa authorization exec default group tacacs+ local none # aaa authorization commands 0 default group tacacs+ local none # aaa authorization commands 15 default group tacacs+ local none # aaa accounting exec default start-stop group tacacs+ # aaa accounting commands 0 default start-stop group tacacs+ # aaa accounting commands 15 default start-stop group tacacs+
Explanation about the commands used above:
Now you should be able to configure your network device for SSH access, using the following commands:
# ip domain-name <some.domain.name> # crypto key generate rsa - This will prompt the user for the key size, set this to a number larger than 2048 # line vty 0 15 # transport input ssh
Depending of your CISCO machine (it could be one of those without SSH support), you may use different instructions for connecting that device to a TACACS+ server.
To test it log completely out of the switch and then attempt to SSH into the switch using the username configured earlier on the TACACS+ server.
On Linux systems, this can be done via the command:
# ssh <tacacs_username>@<server_ip>
If access is granted to the switch/router, congratulations!
Your TACACS+ server is working just fine.