Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

TACACS+ and Cisco ACS 1

Status
Not open for further replies.
nix45

nix45

MIS
Joined
Nov 21, 2002
Messages
478
Location
US
I'm running Cisco ACS v3.1 on a Win2K Server. We have about 50 routers here ranging from 1700s to 3700s. I've never used TACACS+ before, but I hear that you can use it to have the routers authenticate against the ACS server when your entering the telnet and enable passwords. The reason we want to use this is so that we can change all of the passwords on all of the routers at once. Are there any docs on setting this up with ACS Server?

So far, all I've done is create a AAA client on the ACS server for a single router to test it out. I assigned it TACACS+ for authentication and gave it a key (shared secret).

Thanks,
Chris
 
Sort by date Sort by votes
ACS is strickly for authentication. You cannot (from my knowledge) use ACS to change the passwords on your routers. You'd need Cisco Works for that.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts
 
Upvote 0 Downvote
Authentication is what I'm looking for. When you telnet to a router, I want it to pass the request off to the TACAS+ (Cisco ACS) server for authentication.

When I said that I want to be able to change the passwords on the routers at once, I meant that I can change the admin password on the ACS server, which would effectively change the password that all of the routers use since all requests are sent to the TACACS+ server. Sorry for the confusion.

Chris
 
Upvote 0 Downvote
TACACS+ uses "user groups" and "users" and when logging into your routers/switches, if configured properly they will query the ACS server and allow "users" who have been set up on the ACS server to log into these devices. Changing the admin password on the ACS server will not change the passwords on the routers/switches.

It would only change the password for the admin who has to administer the server. Now you can configure the server to force users to change their passwords when they log into the routers/switches. If you want to keep up with a security profile or something.

I just wanted to make sure that you're getting what you want.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts
 
Upvote 0 Downvote
"TACACS+ uses "user groups" and "users" and when logging into your routers/switches, if configured properly they will query the ACS server and allow "users" who have been set up on the ACS server to log into these devices." --> this was what I was trying to say in the last post. How do you set this up on the routers and the ACS server?

Thanks,
Chris
 
Upvote 0 Downvote
...I followed the instructions in this doc...


We have an ACS Server and a VPN Concentrator 3000 already in place, so I used the VPN Concentrator just to test the settings on the ACS server and it worked okay. All I need now, is the commands to get TACACS+ working on our routers and switches.

Thanks,
Chris
 
Upvote 0 Downvote
You need to point your routers to the TACACS+ server first:

config t
tacacs-server host 10.X.X.X (primary ACS server)
tacacs-server host 10.X.X.X (secondary ACS server)
tacacs-server key (your key here)
!
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 5 default if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+

This is the configuration we use on our routers. As you can see we have different privilege levels. If it's set up right, you won't be able to save your configuration until you log out of the router and then back in with your TACACS+ login.

I'll post the switches next



"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts
 
Upvote 0 Downvote
All Cat OS Switches must contain the following commands:

set tacacs server 10.X.X.X primary
set tacacs server 10.X.X.X
set tacacs key (enter your key here)

set authentication login tacacs enable console primary
set authentication login tacacs enable telnet primary
set authorization commands enable all tacacs+ if-authenticated console
set authorization commands enable all tacacs+ if-authenticated telnet
set authorization exec enable tacacs+ none console
set authorization exec enable tacacs+ none telnet

This should allow you to use TACACS+ on all your CAToS based switches. Your IOS switches should be set up like the routers of course.

You should check this before applying these commands over the wire. Nothing's worse than applying these commands and getting locked out of your own equipment. Make sure your CAToS can support TACACS+ commands too. I know that 6-2-2 and higher are good.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts
 
Upvote 0 Downvote
Thanks. Its prompting me for the username/pw when I telnet to the router (like it should), but I can't authenticate with the username/pw that I set up in the ACS server. Are you using ACS?

Also, lets say that the ACS server goes down. Can I make the console password not use TACACS+ so that I have a backdoor in?

Thanks,
Chris
 
Upvote 0 Downvote
Ok, 2nd question first. You need to set up a username and password to get into the routers. On the switches, it doesn't matter, you can use any username and then use the local password and it will let you in. Here is the command for the routers:

config t
username (your username) password (your password)
end

That's it, all one line.

Now the 1st question. If you have ACS running and configured properly, you should be able to use the command outputs that I posted above. You have to set up a group that has level 15 privileges on the server. Make sure it's set up correctly and you should be off and running.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts
 
Upvote 0 Downvote
If I supply a username/password on the router itself, what is the point in using TACACS+? I thought the whole point was so that you can use an external database of usernames that aren't on the router?

Chris
 
Upvote 0 Downvote
fyi, adding the "username user password pass" on the router did allow me to telnet in, but I'm looking for a way to use the username on the TACACS+ server for this. What if I removed the "local" here...

aaa authentication login default group tacacs+ local

Thanks,
Chris
 
Upvote 0 Downvote
The username and password that are on the router shouldn't be used if the TACACS+ server is up and ACS is running...and you have the router AAA commands & key in the configuration.

Ok what I'm saying is this. When configured for TACACS+ the router will not allow the username and password stored locally to be used. You should only be able to use those if your access to the TACACS server is unavailable from ther router. (Router can see ACS server, you can then use the local username and password)

I think that if your having an issue, it's on the server side.

Tell me how your group settings for the username your using on ACS is set up.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts
 
Upvote 0 Downvote
In ACS...

I have a user called "ciscoadmin" and a password of "cisco". The ciscoadmin user is in a group called "TACACS". The TACACS group, under "TACACS+ Settings", has "Shell (exec)" and "Privilege Level 15" checked off.

Under "Network Configuration"...

I added a AAA Client called "cisco1710" with...

IP address = 192.0.31.1
Shared secret = cisco
Authenticate Using = TACACS+ (Cisco IOS)

I also have a AAA Server called "myserver"...

IP address = 192.0.1.47
shared secret = cisco
AAA Server Type = CiscoSecure ACS
Traffic Type = inbound/outbound


Thanks,
Chris
 
Upvote 0 Downvote
Looks good so far...

You are getting prompted for the username & pass, but they don't work right?

Let me see if I can find a link that will give you the information you need. I'll get back to you.

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts
 
Upvote 0 Downvote
Only the local username/pass that I entered on the router work.

Thanks,
Chris
 
Upvote 0 Downvote
Can you post the configuration of your 1700?

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts
 
Upvote 0 Downvote
Here's a "show conf" and a "show version"...



Using 1365 out of 29688 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname cis1710ny1
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa session-id common
enable secret 5 $1$pP0H$Y8SgTogGmDIDkSuJOyfSO.
enable password cisco
!
username cisco password 0 cisco
memory-size iomem 25
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
!
!
!
interface Ethernet0
description Ghosting Network
ip address 192.0.31.1 255.255.255.0
full-duplex
!
interface FastEthernet0
description LAN
ip address 192.0.1.43 255.255.255.0
speed auto
full-duplex
!
router eigrp 1
network 192.0.1.0
network 192.0.31.0
auto-summary
no eigrp log-neighbor-changes
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.0.1.21
no ip http server
ip pim bidir-enable
!
!
!
tacacs-server host 192.0.1.47
tacacs-server key letmein
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
exec-timeout 0 0
password letmein
line vty 5 15
exec-timeout 0 0
!
no scheduler allocate
end





cis1710ny1#show version
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1710-K9O3SY-M), Version 12.2(4)YA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.2(5.4)T
TAC Support: Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 11-Apr-02 22:18 by ealyon
Image text-base: 0x80008124, data-base: 0x80BED550

ROM: System Bootstrap, Version 12.2(1r)XE1, RELEASE SOFTWARE (fc1)
ROM: C1700 Software (C1710-K9O3SY-M), Version 12.2(4)YA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

cis1710ny1 uptime is 2 days, 18 hours, 29 minutes
System returned to ROM by power-on
System image file is "flash:c1710-k9o3sy-mz.122-4.YA2.bin"

cisco 1710 (MPC855T) processor (revision 0x200) with 49152K/16384K bytes of memory.
Processor board ID JAD064204UB (2637304223), with hardware revision 0000
MPC855T processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
1 FastEthernet/IEEE 802.3 interface(s)
1 Virtual Private Network (VPN) Module(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102
 
Upvote 0 Downvote
Try adding this command:

aaa authorization commands 1 default tacacs+ if-authenticated

Other than that, it looks good. Can you ping your TACACS server?

"I can picture a world without war. A world without hate. A world without fear. And I can picture us attacking that world, because they'd never expect it."
- Jack Handey, Deep Thoughts
 
Upvote 0 Downvote
Yes, I can ping the ACS server. I opened a TAC case with Cisco to see if they can figure it out. I'll post the results if its resolved.

Thanks for all your help,
Chris
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Blackybear
  • Locked
  • Question Question
Cisco RV042G router
Replies
0
Views
305
Blackybear
Blackybear
CPM86
  • Locked
  • Question Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
539
CPM86
CPM86
B
  • Locked
  • Question Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
388
badwolf1686
B
pbxcomm
  • Locked
  • Question Question
CISCO VG450
Replies
1
Views
789
nt8d09
nt8d09
Skip Rango
  • Locked
  • Question Question
how to backup cisco sg500-52p switch
Replies
1
Views
770
madwok
madwok

Part and Inventory Search

Sponsor

Back
Top