Configuring AAA on Cisco Routers / Switches for TACACS Users

Before reading this you may need to know how to configure Cisco ACS server. If so click here and comeback..

Steps:-

1. Enable AAA new model
This will unlock AAA configurations

R1(config)#aaa new-model

2. Define the TACACS server group name and parameters
Key must be the key given as the shared secret of authentication options in Cisco ACS server.

R1(config)#tacacs server TACACS
R1(config-server-tacacs)#address ipv4 10.1.1.200
R1(config-server-tacacs)#key C1sc0#adm

3. Create a default AAA Authentication Method List
The following default method list specifies TACACS+ as the first authentication method option. If TACACS+ authentication failed, local user database will be used.
Also a custom method list can be configured.

R1(config)#aaa authentication login default group tacacs+ local 

4. Create default Authorization Method List.
I am creating this for Shell Privilege and for Privilege Level 15 commands.

R1(config)#aaa authorization exec default group tacacs+
R1(config)#aaa authorization commands 15 default group tacacs+
R1(config)#aaa authorization config-commands

5. Create an Accounting Method List using TACACS+

R1(config)#aaa accounting commands 15 default start-stop group tacacs+

6. Apply the AAA authentication method list "default" to line vty
This command may not required because the method list is the default one. If created a custom one, we should use this command with the custom method list name.

R1(config)#line vty 0 4
R1(config-line)#login authentication default

If you want to know how to configure ssh access for a router please click here.

Now, the user mst_roshan will log into privilege level 15 and commands are authorized using TACACS+ protocol and can watch the AAA Accounting entries in ACS at Monitoring and Reports > Reports > Catalog > AAA Protocol

Click here to know how to enable SSH on Cisco routers & switches..