Cisco AP – tacacs+ configuration
October 13, 2015
This post contains notes from Cisco AP configuration to work with tacacs+ services.
AP configuration – telnet authentication
Configure the AP to authenticate telnet user with tacacs+
ap(config)#aaa new-model ap(config)#aaa authentication login aaaList1 group tacacs+ local // define authentication methods list ap(config)#tacacs-server host 192.168.0.205 key sharedKey ap(config)#line vty 0 15 ap(config-line)#transport input telnet ap(config-line)#login authentication aaaList1 // bind the list to vty console
- Define AP (allowed device):
- Define username and password:
Try to login with telnet on the AP. You can also validate tacacs+ on your AP:
ap#show tacacs Tacacs+ Server : 192.168.0.201/49 Socket opens: 4 Socket closes: 4 Socket aborts: 0 Socket errors: 0 Socket Timeouts: 0 Failed Connect Attempts: 0 Total Packets Sent: 10 Total Packets Recv: 9 ap#
We will configure tacacs+ to put user into privileged mode automatically after login.
- Define Policy Element on your ACS. Policy Element defines the different kinds of permissions (authorization level) but it doesn’t bind it to any specific user or device. Go to Shell Profiles and define your Policy Element which grants permission level 15 (maximum level):
- Bind your Policy Element to the specific user:
With this configuration the Policy Element “PrivilegeMode” (created in step 1.) is bound to user lukas. When user logs in he is put into privileged mode automatically.
- The last step – configure your AP to use a tacacs+ as authentication method for telnet/ssh user:
ap(config)# ap(config)#aaa authorization exec authList1 group tacacs+ local // create auth. list ap(config)#line vty 0 15 ap(config-line)#authorization exec authList1 // bind auth. list with the console ap(config-line)#
These commands set these authorization parameters:
- Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TACACS+
- Use the local database if authentication was not performed by using TACACS+
In this example I will turn on accounting for user login and for user commands in privileged mode
- Configure your AP:
ap(config)# ap(config)#aaa accounting exec AccntList start-stop tacacs+ // define account. list for starting exec session ap(config)#aaa accounting commands 15 AccntList start-stop group tacacs+ // define account list for privileged commands ap(config)#line vty 0 15 ap(config-line)#accounting exec AccntList // bind the list with vty console ap(config-line)#accounting commands 15 AccntList // bind the list with vty console ap(config-line)#
- You don’t have to configure anything on your ACS. Navigate to Monitoring and Reports and open the TACACS Accounting report:
You can see when the user has log on (and his privilege level) and also which privileged commands he has executed.