How to use Tacacs+ on Cisco ASA for Shell and Web Authentication
Assume the Tacacs+ Servers are:
|
Cisco ACS Server 1
|
10.120.10.11
|
|
Cisco ACS Server 2
|
10.120.10.12
|
[sourcecode gutter=”false” autolinks=”false”]
aaa-server AAA-TACACS+ protocol tacacs+
!
aaa-server AAA-TACACS+ (Management) host 10.120.10.11
key YYYYXXXYYY
!
aaa-server AAA-TACACS+ (Management) host 10.120.10.12
key YYYYXXXYYY
!
! Delete the old local only configuration
no aaa authentication http console LOCAL
no aaa authentication ssh console LOCAL
!
aaa authentication http console AAA-TACACS+ LOCAL
aaa authentication ssh console AAA-TACACS+ LOCAL
aaa authentication enable console AAA-TACACS+ LOCAL
aaa authorization command AAA-TACACS+ LOCAL
!
[/sourcecode]
If you have allready configured aaa for the ssh you might see something like
[sourcecode autolinks=”false” gutter=”false” highlight=”2″]
asa1(config)# aaa authentication ssh console AAA-TACACS+ LOCAL
Range already exists.
[/sourcecode]
Then you must first disable the aaa authentication and than add the new settings.
[sourcecode autolinks=”false” gutter=”false”]
no aaa authentication ssh console LOCAL
aaa authentication ssh console AAA-TACACS+ LOCAL
[/sourcecode]
If you feel this helps a bit or may be not ? Please leave a comment.
If you want to configure tacacs+ on the Cisoc MDS9222i Series you have to enable first the feature.
[sourcecode autolinks=”false” gutter=”false”]
feature tacacs+
[/sourcecode]
After this the commands to configure the Tacacs+ are available.
[sourcecode autolinks=”false” gutter=”false”]
feature tacacs+
!
tacacs+ distribute
tacacs-server timeout 10
tacacs-server host 10.0.243.247 key 0 secertkey
tacacs-server host 10.0.243.248 key 0 secretkey
tacacs+ commit
!
aaa group server tacacs+ AAA-Servers
server 10.0.243.247
server 10.0.243.248
deadtime 5
!
aaa authentication login default group AAA-Servers
aaa authentication login console local
aaa authentication login error-enable
!
ip route 10.0.243.247 255.255.255.255 10.0.160.1 interface mgmt0
ip route 10.0.243.248 255.255.255.255 10.0.160.1 interface mgmt0
!
interface mgmt0
ip address 10.0.160.99 255.255.255.0
switchport description Management
switchport speed 100
[/sourcecode]
On the ACS side you have to configure the shell profile with the following role:
[sourcecode autolinks=”false” gutter=”false”]
shell:roles="network-admin"
[/sourcecode]
If you feel this helps a bit or may be not ? Please leave a comment.
How To use Tacacs+ with Cisco WAAS for Authentication.
Configuration with the Central Manager
Tacacs+ is configured in the Device Context at Configure > Security > AAA > TACACS+
Go to Configure > Security > AAA > Authentication Methods
Go to Configure > Security > AAA > Command Authorization
On the Accelerator CLI
tacacs key ****
tacacs host 10.0.243.247 primary
tacacs host 10.0.243.248
tacacs key ****
authentication login local enable secondary
authentication login tacacs enable primary
authentication configuration local enable secondary
authentication configuration tacacs enable primary
authentication fail-over server-unreachable
aaa authorization commands 15 default tacacs+
On the ACS you have to add following Attribute to the Profil
For the cetral manager to work also you have to create a group “admin” and assign the role admin
Under Admin > AAA > User Groups 
If you feel this helps a bit or may be not ? Please leave a comment.
nettes xmas essen bei dat britti;-)
The worst day diving is better than the best day working:-)
