Cisco AP – tacacs+ configuration

This post contains notes from Cisco AP configuration to work with tacacs+ services.

AP configuration – telnet authentication

Configure the AP to authenticate telnet user with tacacs+

ap(config)#aaa new-model
ap(config)#aaa authentication login aaaList1 group tacacs+ local // define authentication methods list
ap(config)#tacacs-server host 192.168.0.205 key sharedKey
ap(config)#line vty 0 15
ap(config-line)#transport input telnet
ap(config-line)#login authentication aaaList1 // bind the list to vty console 

tacacs+ configuration

  1. Define AP (allowed device):
    tacacs_1
  2. Define username and password:
    tacacs_2

Veryfication

Try to login with telnet on the AP. You can also validate tacacs+ on your AP:

ap#show tacacs

Tacacs+ Server            : 192.168.0.201/49
              Socket opens:          4
             Socket closes:          4
             Socket aborts:          0
             Socket errors:          0
           Socket Timeouts:          0
   Failed Connect Attempts:          0
        Total Packets Sent:         10
        Total Packets Recv:          9

ap#

Configure Authentication

We will configure tacacs+ to put user into privileged mode automatically after login.

  1. Define Policy Element on your ACS. Policy Element defines the different kinds of permissions (authorization level) but it doesn’t bind it to any specific user or device. Go to Shell Profiles and define your Policy Element which grants permission level 15 (maximum level):

    tacacs_3

  2. Bind your Policy Element to the specific user:
    tacacs_4

    With this configuration the Policy Element “PrivilegeMode” (created in step 1.) is bound to user lukas. When user logs in he is put into privileged mode automatically.

  3. The last step – configure your AP to use a tacacs+ as authentication method for telnet/ssh user:
    ap(config)#
    ap(config)#aaa authorization exec authList1 group tacacs+ local // create auth. list
    ap(config)#line vty 0 15
    ap(config-line)#authorization exec authList1 // bind auth. list with the console
    ap(config-line)#
    

    These commands set these authorization parameters:

    • Use TACACS+ for privileged EXEC access authorization if authentication was performed by using TACACS+
    • Use the local database if authentication was not performed by using TACACS+

Configure accounting

In this example I will turn on accounting for user login and for user commands in privileged mode

  1. Configure your AP:
    ap(config)#
    ap(config)#aaa accounting exec AccntList start-stop tacacs+ // define account. list for starting exec session
    ap(config)#aaa accounting commands 15 AccntList start-stop group tacacs+ // define account list for privileged commands
    ap(config)#line vty 0 15
    ap(config-line)#accounting exec AccntList // bind the list with vty console
    ap(config-line)#accounting commands 15 AccntList // bind the list with vty console
    ap(config-line)#
    
  2. You don’t have to configure anything on your ACS. Navigate to Monitoring and Reports and open the TACACS Accounting report:
    tacacs_5
  3. You can see when the user has log on (and his privilege level) and also which privileged commands he has executed.

Leave a Reply

Your email address will not be published. Required fields are marked *