 |
 |
|
||
|
|
Tacacs Configuration Task List
To configure your router to support Tacacs+, you must perform the following tasks:
Step 1 Use the aaa new-model global configuration command to enable AAA.
Warning: The aaa new-model command immediately applies local authentication to all lines and interfaces (except console line line con 0). If a telnet session is opened to the router after enabling this command (or if a connection times out and has to reconnect), then the user has to be authenticated using the local database of the router. To avoid being locked out of the router, we recommend that you define a username and password on the access server before starting the AAA configuration. Do this a follows:
username xxx password yyy
Step 2 Use the tacacs-server host command to specify the IP address of one or more Tacacs servers. The command syntax is as follows:
tacacs-server host hostname [single-connection]
[port integer] [timeout integer] [key string]
Here is a practical example:
tacacs-server host
192.168.1.1
tacacs-server host
192.168.1.2
Note: You can define multiple Tacacs servers by defining the
servers. You see this a lot with service providers who
use it for redundancy in case the first server becomes unavailable. If the
first server does not respond within a timeout period (default 5 seconds), the
next server is queried, and so on. A good strategy is to use geographically
diverse Tacacs servers such as Cisco Secure ACS. You can think keep the local
databases in sync.
Step 3 Use the tacacs-server
key command to specify an encryption key to encrypt the Tacacs session
between the networking device and the Tacacs server. This same key must also be
configured on the Tacacs server. The global command is as follows:
tacacs-server key
key
Here is an example:
tacacs-server key TheBirdIsSinging
Step 4 Use the aaa authentication global configuration command to define method lists that use Tacacs for authentication.
Step 5 Use line and interface commands to apply the defined method lists to various interfaces.
Here is an example:
Step 6 To enable authorization, use the aaa authorization global command to configure authorization method lists. Unlike authentication, which can be configured per line or per interface, authorization is configured globally for the entire NAS.
Step 7 To enable accounting for Tacacs connections, use the aaa accounting command to configure accounting method lists.
Note: You can define multiple Tacacs servers by defining the servers with the IOS command, tacacs-server <ip address of server>. This is often used for redundancy in case the first server becomes unavailable. If the first server does not respond within a timeout period (default 5 seconds), the next server
is queried, and so forth. For example, to define three servers you would use the IOS configuration:
!
tacacs-server host 1.1.1.1
!
tacacs-server host 2.2.2.2
!
tacacs-server host 3.3.3.3
tacacs-server key TheBirdIsSinging
Note: One thing to look out for when configuring Tacacs is to make sure you define the Tacacs servers first. We do this because if you make a mistake configuring the method lists and do not allow local fallback, you can lock yourself out of the router if the Tacacs server is not defined. This will require a password recovery procedure to fix.
Here is the safe way to configure Tacacs on IOS devices and not lock yourself out.
1.� Verify that the router has a route to the Tacacs server(s).
2.� Verify that the router is able to ping Tacacs server. Verify that TCP port 49 is open all the way from the router to the Tacacs servers.
3.� Verify that the IP of the router is configured as an AAA client in the CiscoSecure ACS server, with the correct key.
4.� Telnet to the CiscoSecure
ACS server on port 49.� Remember that you may need extra control-shift-6
characters if you are running through multiple forward or reverse telnet
sessions. Do not proceed unless you can make a connection.� Hit a couple carriage returns to close the
connection.
���� router>
172.16.1.1 49
Trying
172.16.1.1, 49 ... Open
5.� Backup the current router configuration to a tftp server.
6.� Open 2 simultaneous sessions to the router � 1 via console and 1 via telnet.� If you run into any issues, back out the changes via the console session.
7.� Enter the following commands on the console session in the same order.� Keep the telnet session open. In this example, the Tacacs server is 172.16.1.1.
tacacs-server
host 172.16.1.1
tacacs-server
key <key>
aaa
new-model
aaa
authentication login default group tacacs+ local
aaa
accounting exec default stop-only group tacacs+
aaa
accounting commands 15 default stop-only group tacacs+
!
! For
termservers, disable authentication for reverse telnet.
!
aaa
authentication login 1 none
line
33 64
� login authentication
1
!
! Specify
source interface if required.
!
ip
tacacs source-interface <int>
8.� Log out of the telnet session.�
9.� Telnet back in.� The router should now prompt for a
username.� Test Tacacs authentication by
logging back in with a valid Tacacs account.
Here is the safe
way to configure Tacacs on CatOS switches.
1.� Verify that the switch has a route to the Tacacs server.
2.� Verify that the switch is able to ping the CiscoSecure ACS server. Verify that TCP port 49 is open between the switch and the Tacacs server(s).
3.� Verify that the IP of the switch is configured as an AAA client in the CiscoSecure ACS server, with the correct key.
4.� Telnet to the CiscoSecure ACS server on port 49.� Do not proceed unless you can make a connection.�
switch
(enable) telnet 172.16.1.1 49
Trying
172.16.1.1...
Connected
to 172.16.1.1.
Escape
character is '^]'.
5.� Backup the current config to a tftp server.
6.� Open 2 simultaneous sessions to the switch � 1 via console and 1 via telnet from the loghost.� If you run into any issues, back out the changes via the console session.
7.� Enter the following commands on the console session in the same order.� Keep the telnet session open.
set
tacacs server 172.16.1.1
set
tacacs key <key>
set
authentication login tacacs enable console primary
set
authentication login tacacs enable telnet primary
set
accounting commands enable all stop-only tacacs+
8.� Log out of the telnet session.�
9.� Telnet back in.� The switch should now prompt for a username.� Test Tacacs authentication by logging back in with a valid Tacacs account.
This section describes how to implement authentication and authorization for traffic through the PIX Firewall, using a server. The commands used for this purpose are in addition to the basic firewall configuration required, which is described in the previous section, "Basic Configuration."� Note that the Pix only support authentication and authorization. It does not support accounting.
The aaa-server command specifies the IP address of the Tacacs authentication server. The aaa authentication command statement specifies that users on network 192.168.3.0 starting FTP, HTTP, and Web connections from the inside interface be prompted for their usernames and passwords before being permitted to access the servers on other interfaces. The aaa authorization command statement lets the users on 192.168.3.0 access FTP, HTTP, or Telnet, and any TCP connections to anywhere as authorized by the AAA server. Even though it appears that the aaa commands let the PIX Firewall set security policy, the authentication server actually does the work to decide which users are authenticated and what services they can access when authentication is permitted.
Example 3-3 shows the command listing for configuring access to services for the network illustrated in Figure 3-2.
Example 3-3 Authentication and Authorization Commands
aaa-server Tacacs+ (inside) host
10.1.1.12 1q2w3e
aaa authentication include ftp
inside 192.168.3.0 255.255.255.0 0 0 Tacacs+
aaa authorization include ftp
inside 192.168.3.0 255.255.255.0 0 0
aaa authentication include
http inside 192.168.3.0255.255.255.0 0 0 Tacacs+
aaa authorization include http
inside 192.168.3.0 255.255.255.0 0 0
aaa authentication include
telnet inside 192.168.3.0255.255.255.0 0 0 Tacacs+
aaa authorization include
telnet inside 192.168.3.0 255.255.255.0 0 0
This
is the safe way to configure Tacacs on Pix firewalls.
1.� Verify that the PIX has a route to the Tacacs server.
2.� Verify that the PIX is able to ping the Tacacs server.
3.� Verify that the IP of the PIX is configured as an AAA client in the CiscoSecure ACS server, with the correct key.
4.� Backup the current config to a TFTP server.
5.� When configuring an HA pair of pixes, console in to both.� Test authentication on the secondary pix and keep the console session to the primary open.� If you run into any issues, back out the changes via the session on the primary pix.
6.� When configuring a single pix, temporarily enable telnet or ssh.� Open 2 simultaneous connections � 1 via console and 1 via telnet or ssh.� If you run into any issues, back out the changes via the console session.
7.� Enter the following commands on the console session in the same order.� Keep the telnet session open.
aaa-server
tacacs01 protocol tacacs+
aaa-server
tacacs01 (interface) host 172.16.1.1�
<key> timeout 10
aaa
authentication serial console tacacs01
aaa
authentication telnet console tacacs01
8.� Log out of the secondary pix or the telnet/ssh session.
9.� The PIX should now prompt for a username.� Test Tacacs authentication by logging back in with a valid Tacacs account.
10. Disable telnet or ssh if enabled in step 6.
Because the VPN concentrator primarily uses a GUI, I don�t usually configure it for Tacacs. You can configure the VPN concentrator to use Tacacs to authenticate management accounts. There are several problems with this, however. One problem is that there is no way to track commands entered via the GUI, i.e. accounting. The second problem is that unlike with IOS, there is no way to configure local authentication in the event that the Tacacs server is unreachable. I found that if the Tacacs server is unreachable, then you cannot log in to the VPN concentrator until the Tacacs server is reachable again.
[IE-AAA-WP1-D04_CT]
[2004-01-27-01]
|