TACACS Server Authentication
IPv4 Address Configuration
This section shows a TACACS+ server is configured with an IPv4 address. Authentication messages are transmitted to TACACS+ server from the device using an IPv4 address.
Topology
Figure 5 shows the sample configuration of TACACS+ server.
Figure 5. TACACS Server Host Configuration
Authenticating Client
|
#configure terminal |
Enter configure mode. |
|
(config)#feature tacacs+ vrf management |
Enable the feature TACACS+ for management vrf |
|
(config)#feature tacacs+ |
Enable the feature TACACS+. for default vrf |
|
(config)#tacacs-server login key 0 testing101 vrf management |
Specify the global key for tacacs servers that are not configured with their respective keys for management vrf This key should match the one present in the config file of tacacs server |
|
(config)#tacacs-server login key 0 testing101 |
Specify the global key for tacacs servers that are not configured with their respective keys for default vrf This key should match the one present in the config file of tacacs server |
|
(config)#tacacs-server login host 10.16.19.2 vrf management seq-num 1 key 0 testing123 |
Specify the tacacs server ipv4 address to be configured with shared key. The same key should be present on the server config file |
|
(config)#tacacs-server login host 10.16.19.2 seq-num 3 key 0 testing123 |
Specify the tacacs server ipv4 address to be configured with shared local key for default vrf The same key should be present on the server config file. |
|
(config)#tacacs-server login host 10.12.30.86 vrf management seq-num 4 port 1045 |
Specify the tacacs server ipv4 address to be configured with the sequence and port number.The tacacs server should be started with same port number |
|
config)#tacacs-server login host 10.12.30.86 seq-num 2 port 1045 |
Specify the tacacs server ipv4 address to be configured with the sequence and port number for default vrf. The tacacs server should be started with same port number |
|
(config)#tacacs-server login host 10.12.17.11 vrf management seq-num 8 key 7 65535 port 65535 |
Specify the tacacs server ipv4 address to be configured with the sequence, key and port number for management vrf. The tacacs server should be started with same port number. |
|
(config)#tacacs-server login host 10.12.17.11 seq-num 8 key 7 65535 port 65535 |
Specify the tacacs server ipv4 address to be configured with the sequence, key and port number for default vrf. The tacacs server should be started with same port number. |
|
(config)#tacacs-server login host Tacacs-Server-1 vrf management seq-num 7 key 7 65535 port 65535 |
Specify the tacacs server configured with host-name sequence number key and port number for management vrf. The tacacs server should be started with same port number |
|
(config)#tacacs-server login host Tacacs-Server-1 seq-num 7 key 7 65535 port 65535 |
Specify the tacacs server configured with host-name sequence number key and port number for default vrf. The tacacs server should be started with same port number |
|
(config)#aaa authentication login default vrf management group tacacs+ |
Enable authentication for TACACS+ server configured for management vrf. Authorization is also enabled by default |
|
(config)#aaa authentication login default group tacacs+ |
Enable authentication for TACACS+ server configured for default vrf. Authorization is also enabled by default. |
|
(config)#aaa authentication login default vrf management group tacacs+ local |
Enable authentication for TACACS+ and fall-back to local configured for management vrf. Authorization is also enabled by default |
|
(config)#aaa authentication login default vrf management group tacacs+ local none |
Enable authentication for TACACS+ fall-back to local followed by fall-back to none configured for management vrf. Authorization is also enabled by default |
|
(config)#aaa authentication login default vrf management group tacacs+ none |
Enable authentication for TACACS+ fall-back to none configured for management vrf. Authorization is also enabled by default |
|
(config)#aaa authentication login default group tacacs+ none |
Enable authentication for TACACS+ fall-back to none , configured for default vrf. Authorization is also enabled by default |
|
(config)#aaa group server tacacs+ G1 vrf management |
Create aaa group G1 for management vrf |
|
(config-tacacs)#server 10.12.30.86 vrf management |
Make the tacacs-server 10.12.30.86 a part of this group G1 for default vrf |
|
(config-tacacs)#server Tacacs-Server-1 |
Make the tacacs-server Tacacs-Server-1 a part of this group G1 for management vrf |
|
(config-tacas)#exit |
Exit the tacacs-config |
|
(config)#commit |
Commit the configuration |
|
(config)#aaa group server tacacs+ G1 |
Create aaa group G1 for default vrf |
|
(config-tacacs)server 10.12.30.86 |
Make the tacacs-server 10.12.30.86 a part of this group G1 for default vrf |
|
(config-tacacs)#server Tacacs-Server-1 |
Make the tacacs-server Tacacs-Server-1 a part of this group G1 for management vrf |
|
(config-tacacs)#exit |
Exit the tacacs-config mode |
|
(config)#commit |
Commit the configuration |
|
(config)#aaa authentication login default vrf management group G1 |
Authenticate the tacacs+ group G1 with aaa authentication for management vrf |
|
(config)#aaa authentication login default group G1 |
Authenticate the tacacs+ group G1 with aaa authentication for default vrf |
|
(config)#commit |
Commit the configuration |
Users are mapped as shown in Table 9:
|
Role |
Privilege level |
|
Network administrator |
15 |
|
Network engineer |
14 |
|
Network operator |
1 to 12 |
|
RBAC-customized-role |
13 |
|
Network user |
0 or any other values (>15 or negative values or any character) |
Validation
Leaf1#show tacacs-server vrf management
VRF: management
total number of servers:4
Tacacs+ Server : 10.16.19.2/49
Sequence Number : 1
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 10.12.30.86/1045
Sequence Number : 2
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : Tacacs-Server-1/65535
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 10.12.17.11/65535
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Leaf1#show tacacs-server
VRF: default
total number of servers:4
Tacacs+ Server : 10.16.19.2/49
Sequence Number : 1
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 10.12.30.86/1045
Sequence Number : 2
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : Tacacs-Server-1/65535
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 10.12.17.11/65535
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
#show tacacs-server vrf all
VRF: management
total number of servers:2
Tacacs+ Server : Tacacs-Server-1/65535(*)
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 1
Failed Connect Attempts : 0
Last Successful authentication: 2018 October 30, 10:10:22
Tacacs+ Server : 10.12.17.11/65535
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
VRF: default
total number of servers:2
Tacacs+ Server : Tacacs-Server-1/2222
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 100.0.0.1/2222
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
#show tacacs-server
VRF: default
total number of servers:2
Tacacs+ Server : Tacacs-Server-1/2222
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
Tacacs+ Server : 100.0.0.1/2222
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
#show tacacs-server vrf management groups G1
VRF: management
group G1:
server Tacacs-Server-1:
seq-num 7
port is 65535
key is ********
server 10.12.17.11:
seq-num 8
port is 65535
key is ********
#show tacacs-server vrf all groups G1
VRF: management
group G1:
server Tacacs-Server-1:
seq-num 7
port is 65535
key is ********
server 10.12.17.11:
seq-num 8
port is 65535
key is ********
VRF: default
group G1:
server Tacacs-Server-1:
seq-num 7
port is 2222
key is ********
server 100.0.0.1:
seq-num 8
port is 2222
key is ********
#show tacacs-server groups G1
VRF: default
group G1:
server Tacacs-Server-1:
seq-num 7
port is 2222
key is ********
server 100.0.0.1:
seq-num 8
port is 2222
key is ********
#show tacacs vrf management
VRF: management
total number of servers:2
Tacacs+ Server : Tacacs-Server-1/65535(*)
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 1
Failed Connect Attempts : 0
Last Successful authentication: 2018 October 30, 10:10:22
Tacacs+ Server : 10.12.17.11/65535
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
#show tacacs vrf all
VRF: management
total number of servers:2
Tacacs+ Server : Tacacs-Server-1/65535(*)
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 1
Failed Connect Attempts : 0
Last Successful authentication: 2018 October 30, 10:10:22
Tacacs+ Server : 10.12.17.11/65535
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
VRF: default
total number of servers:2
Tacacs+ Server : Tacacs-Server-1/2222(*)
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 1
Failed Connect Attempts : 0
Last Successful authentication: 2018 October 30, 10:32:52
Tacacs+ Server : 100.0.0.1/2222
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
#show tacacs
VRF: default
total number of servers:2
Tacacs+ Server : Tacacs-Server-1/2222(*)
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 1
Failed Connect Attempts : 0
Last Successful authentication: 2018 October 30, 10:32:52
Tacacs+ Server : 100.0.0.1/2222
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
#show tacacs vrf management
VRF: management
total number of servers:2
Tacacs+ Server : Tacacs-Server-1/65535(*)
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 1
Failed Connect Attempts : 0
Last Successful authentication: 2018 October 30, 10:10:22
Tacacs+ Server : 10.12.17.11/65535
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
#show tacacs vrf all
VRF: management
total number of servers:2
Tacacs+ Server : Tacacs-Server-1/65535(*)
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 1
Failed Connect Attempts : 0
Last Successful authentication: 2018 October 30, 10:10:22
Tacacs+ Server : 10.12.17.11/65535
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
VRF: default
total number of servers:2
Tacacs+ Server : Tacacs-Server-1/2222(*)
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 1
Failed Connect Attempts : 0
Last Successful authentication: 2018 October 30, 10:32:52
Tacacs+ Server : 100.0.0.1/2222
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
#show tacacs
VRF: default
total number of servers:2
Tacacs+ Server : Tacacs-Server-1/2222(*)
Sequence Number : 7
Failed Auth Attempts : 0
Success Auth Attempts : 1
Failed Connect Attempts : 0
Last Successful authentication: 2018 October 30, 10:32:52
Tacacs+ Server : 100.0.0.1/2222
Sequence Number : 8
Failed Auth Attempts : 0
Success Auth Attempts : 0
Failed Connect Attempts : 0
Last Successful authentication:
(*) indicates last active.
#show aaa authentication vrf management
VRF: management
default: group G1
console: local
#show aaa authentication vrf all
VRF: management
default: group G1
console: local
VRF: default
default: group tacacs+
console: local
#show aaa authentication
VRF: default
default: group tacacs+
console: local
# show aaa groups vrf management
VRF: management
radius
tacacs+
G1
# show aaa groups vrf all
VRF: management
radius
tacacs+
G1
VRF: default
radius
tacacs+
G1
#show aaa groups
VRF: default
radius
tacacs+
G1
#show running-config tacacs+
feature tacacs+ vrf management
tacacs-server login host Tacacs-Server-1 vrf management seq-num 7 key 7 65535 po
rt 65535
tacacs-server login host 10.12.17.11 vrf management seq-num 8 key 7 65535 port 6
5535
feature tacacs+
tacacs-server login host Tacacs-Server-1 seq-num 7 key 7 65535 port 2222
tacacs-server login host 100.0.0.1 seq-num 8 key 7 65535 port 2222
#show running-config aaa
aaa authentication login default vrf management group G1
aaa group server tacacs+ G1 vrf management
server Tacacs-Server-1 vrf management
server 10.12.17.11 vrf management
aaa authentication login default group tacacs+
aaa group server tacacs+ G1
server Tacacs-Server-1
server 100.0.0.1
#show running-config aaa all
aaa authentication login default vrf management group G1
aaa authentication login console local
aaa accounting default vrf management local
no aaa authentication login default fallback error local vrf management
no aaa authentication login console fallback error local
no aaa authentication login error-enable vrf management
aaa local authentication attempts max-fail 3
aaa local authentication unlock-timeout 1200
aaa group server tacacs+ G1 vrf management
server Tacacs-Server-1 vrf management
server 10.12.17.11 vrf management
aaa authentication login default group tacacs+
aaa authentication login console local
aaa accounting default local
no aaa authentication login default fallback error local
no aaa authentication login console fallback error local
no aaa authentication login error-enable
aaa local authentication attempts max-fail 3
aaa local authentication unlock-timeout 1200
aaa group server tacacs+ G1
server Tacacs-Server-1
server 100.0.0.1