This server can perform many additional tasks related to user management such as Active Directory and LDAP synchronization. The most commonly used server and the one that will be covered in this document is the Cisco Secure ACS server. Cisco ACS TACACS+ Configuration: There are many TACACS+ servers available to allow authentication from the router. Assigns conmethod and vtymethod authentication to console connections and vty (remote) sessions respectively. The key must match the value configured in Cisco ACS.
Specifies that TACACS+ should be used for Console and Telnet/SSH connections Allows access using the locally configured accounts if a TACACS+ server is not available tacacs-server host tacacs-server directed-request tacacs-server key line con 0 exec-timeout 0 0 password logging synchronous login authentication conmethod line vty 0 4 exec-timeout 0 0 privilege level 15 password login authentication vtymethod terminal-type monitor transport input telnet ssh! End Specify TACACS+ server IP and shared secret key. Cisco IOS Command Description aaa new-model aaa authentication login vtymethod group tacacs+ enable aaa authentication login conmethod group tacacs+ enable aaa authorization commands 1 default group tacacs+ none aaa authorization commands 15 default group tacacs+ none! aaa session-id common Instructs the router to use the newer AAA command-set. This can be useful if the network connection to the TACACS+ server is lost or the server itself goes down. If the TACACS+ server is unavailable for any reason, use the local account setting on the router to allow login. Default authentication is set to use the TACACS+ server for all forms of connection (console, telnet/ssh, and terminal lines). A sample configuration is shown below to allow the following functions: 1. AAA refers to Authentication, Authorization and Accounting. In the configuration, the aaa command-set is used. While this configuration is required on each device in the network, it only needs to be setup once for all users that will be logging into the device in the future. Cisco Router Configuration Cisco devices require individual configuration to support TACACS+ for user authentication. Cisco Secure ACS TACACS+ configuration Verify operation in LiveAction 1Ĥ 2. This application note will cover the following topics: Cisco router configuration to support authentication with a Cisco Secure ACS TACACS+ server. Both administration-level and monitor-only authorization setups are covered below. As these credentials can relate to different permission levels in on the TACACS+ server, it is important to understand what is and is not required.
The LiveAction software logs into Cisco devices using username and password credentials provided by the user.
Discussed below are the procedures and methods required for setting up the Cisco Secure ACS TACACS+ feature to interoperate with network devices being controlled or monitored with LiveAction. Refer to the Cisco document TACACS+ and RADIUS Comparison for more details on the differences between these two protocols. TACACS+ runs over TCP and tends to be more reliable while RADIUS runs over UDP and is less chatty.
Two primary protocols are used in Cisco networking devices to enable this capability: Remote Authentication Dial-In User Service (RADIUS) Terminal Access Controller Access-Control System Plus (TACACS+) RADIUS and TACACS+ both have unique capabilities and benefits as authentication protocols. Network designers and administrators quickly recognized the need for a centralized user management system for these network devices. Introduction As networks begin to grow in size, the issue of maintaining user credentials on every device in the network can become a very overwhelming problem. 7 Create Users Verify LiveAction Connectivity and Operation Appendix. 3 Define User Privileges for Administration and Monitor Level Access. 3 Cisco Secure ACS Network Device Configuration. Introduction Cisco Router Configuration Cisco ACS TACACS+ Configuration. 1 LiveAction Application Note Using LiveAction with Cisco Secure ACS (TACACS+ Server) SeptemberĢ Table of Contents 1.