Cisco ASA and Tacacs+

How to use Tacacs+ on Cisco ASA for Shell and Web Authentication

Assume the Tacacs+ Servers are:

Cisco ACS Server 1	10.120.10.11
Cisco ACS Server 2	10.120.10.12

[sourcecode gutter=”false” autolinks=”false”]
aaa-server AAA-TACACS+ protocol tacacs+
!
aaa-server AAA-TACACS+ (Management) host 10.120.10.11
key YYYYXXXYYY
!
aaa-server AAA-TACACS+ (Management) host 10.120.10.12
key YYYYXXXYYY
!
! Delete the old local only configuration
no aaa authentication http console LOCAL
no aaa authentication ssh console LOCAL
!
aaa authentication http console AAA-TACACS+ LOCAL
aaa authentication ssh console AAA-TACACS+ LOCAL
aaa authentication enable console AAA-TACACS+ LOCAL
aaa authorization command AAA-TACACS+ LOCAL
!
[/sourcecode]
If you have allready configured aaa for the ssh you might see something like

[sourcecode autolinks=”false” gutter=”false” highlight=”2″]
asa1(config)# aaa authentication ssh console AAA-TACACS+ LOCAL
Range already exists.
[/sourcecode]
Then you must first disable the aaa authentication and than add the new settings.
[sourcecode autolinks=”false” gutter=”false”]
no aaa authentication ssh console LOCAL
aaa authentication ssh console AAA-TACACS+ LOCAL
[/sourcecode]

If you feel this helps a bit or may be not ? Please leave a comment.

Patrick Marc Preuss

Cisco ASA and Tacacs+

How to use Tacacs+ on Cisco ASA for Shell and Web Authentication

Leave a Reply Cancel reply

The worst day diving is better than the best day working:-)