Configuring TACACS+ Globally

17 Mar

Immediate Solutions
Configuring TACACS+ Globally

The process for configuring a Cisco router to support the TACACS+ protocol is fairly uniform. The basic configuration to enable the TACACS+ protocol always includes the following steps; however, the steps can be accomplished using two different methods. The first method configures TACACS+ globally on the network access server. This method is generally used in environments that use only one TACACS+ server or in environments in which all TACACS+ servers within the network are configured to use the same security values. This configuration method is outlined in the following steps:

1.Use the aaa new−model global configuration command to enable AAA. This command establishes a new AAA configuration. The command must be configured if you plan to support the TACACS+ protocol.

2.Use the tacacs−server host <ip address> command to specify the IP address of one or more TACACS+ servers.

3.Set the global TACACS+ authentication key and encryption key using the tacacs−server key <key> command. The key string configured on the network access server must match the key string configured on the TACACS+ server or all communication between the devices will fail.

The preceding steps include the basic configuration commands needed to enable TACACS+ globally on the network access server. Figure 2.8 illustrates how to configure the network access server named Seminole to provide TACACS+ services for user James. James is an administrator who must access the network access server Seminole remotely and perform administrative functions. The access server Seminole is configured to communicate with the Cisco Secure ACS server at IP address 192.168.10.4.

Figure 2.8: Single TACACS+ server.
The following configuration commands are needed to configure the router based on the requirements:

Seminole#config t
Enter configuration commands, one per line. End with CNTL/Z.
Seminole(config)#aaa new−model
Seminole(config)#tacacs−server host 192.168.10.4
Seminole(config)#tacacs−server key 1Cisco9

In this configuration, the key 1Cisco9 is the encryption key that is shared between router Seminole and the Cisco Secure server at IP address 192.168.10.4. The encryption key should be kept secret for privacy reasons because it is encrypted only after it is sent across the network to the Cisco Secure server but it’s not stored in encrypted format on the local device. Issuing the show running−config command allows you see the results of the preceding configuration:

Seminole#show running−config
!
hostname Seminole
!
aaa new−model
tacacs−server host 192.168.10.4
tacacs−server key 1Cisco9
!

Issuing the show running−config command allows you to review the configuration changes that were made to the local device; however, a few more commands are needed to verify that the network access server and TACACS+ server are communicating properly. After you verify that the configuration changes are correct, the next command you should issue is the show tacacs command. The output of this command verifies that the network access server and the TACACS+ server are communicating properly. Issuing the show tacacs command will verify that network access server Seminole in Figure 2.8 is communicating with the TACACS+ server.

Seminole#sh tacacs
Server: 192.168.10.4/49: opens=215 closes=214 aborts=79 errors=4
packets in=1637 packets out=1930 expected replies=0
connection 62524500 state=ESTAB

The output of the show tacacs command first lists the TACACS+ server’s IP address and the port number that the router and the TACACS+ server are communicating on; port 49 is the default port number. The port number may be changed in instances in which the TACACS+ server has been configured to communicate on a different port number. The values for opens and closes are the number of times the router opened or closed a session with the TACACS+ server. The most important output that is displayed by the show tacacs command is the state of the connection. In the preceding example, the state equals Established. If, for instance, the router and TACACS+
server could not communicate, the following output listed would be seen:

Server: 192.168.10.4/49: opens=0 closes=0 aborts=0 errors=227
packets in=0 packets out=0 expected replies=0
no connection

Notice the high number of errors. The number is high because there is no connection between the router and the TACACS+ server after a determination has been made that the router and the TACACS+ server are communicating. The command debug tacacs events is needed to make sure the session communication is functioning properly. The debug tacacs events command displays the opening and closing of TCP connections to the TACACS+ server and also displays the bytes written and read during the connection. This output can be seen in Listing 2.1.

Listing 2.1: Debugging TACACS+ events output.

Seminole#debug tacacs events
TACACS+ events debugging is on
Seminole#

: TAC+: Opening TCP/IP to 192.168.10.4/49 timeout=5
: TAC+: Opened TCP/IP handle 0×47B76A to 192.168.10.4/49
: TAC+: req=6257CD64 Qd id=3392702625 ver=192 handle=0×0 –
: TAC+: (NONE) expire=4
AUTHEN/START/LOGIN/ASCII processed
: TAC+: periodic timer stopped (queue empty)
: TAC+: periodic timer started
: TAC+: 192.168.10.4 req=6257CD64 Qd id=3392702625 ver=192 –
: TAC+: handle=0×0 (NONE) expire=5
AUTHEN/START/LOGIN/ASCII queued
: TAC+: 192.168.10.4 ESTAB id=3392702625 wrote 37 of 37 bytes
: TAC+: 192.168.10.4 req=6257CD64 Qd id=3392702625 ver=192 –
: TAC+: handle=0×0 (NONE)expire=4
AUTHEN/START/LOGIN/ASCII sent
: TAC+: 192.168.10.4 ESTAB read=12 wanted=12 alloc=55 got=12
: TAC+: 192.168.10.4 ESTAB read=28 wanted=28 alloc=55 got=16
: TAC+: 192.168.10.4 received 28 byte reply for 6257CD64 –
: TAC+: id=3392702625
: TAC+: req=6257CD64 Tx id=3392702625 ver=192 handle=0×0 –
: TAC+: (NONE) expire=4
AUTHEN/START/LOGIN/ASCII processed
: TAC+: periodic timer stopped (queue empty)
: TAC+: periodic timer started
: TAC+: 192.168.10.4 req=6252CD78 Qd id=3392702625 ver=192 –
: TAC+: handle=0×0 (NONE)expire=5AUTHEN/CONT queued
: TAC+: 192.168.10.4 ESTAB id=3392702625 wrote 24 of 24 bytes
: TAC+: 192.168.10.4 req=6252CD78 Qd id=3392702625 ver=192 –
: TAC+: handle=0×0 (NONE)expire=4
AUTHEN/CONT sent
: TAC+: 192.168.10.4 ESTAB read=12 wanted=12 alloc=55 got=12
: TAC+: 192.168.10.4 ESTAB read=28 wanted=28 alloc=55 got=16
: TAC+: 192.168.10.4 received 28 byte reply for 6252CD78 –
: TAC+: id=3392702625
: TAC+: req=6252CD78 Tx id=3392702625 ver=192 handle=0×0 –
: TAC+: (NONE) expire=4
AUTHEN/CONT processed
: TAC+: periodic timer stopped (queue empty)
: TAC+: periodic timer started
: TAC+: 192.168.10.4 req=6257CD64 Qd id=3392702625 ver=192 –
: TAC+: handle=0×0 (NONE)expire=5
AUTHEN/CONT queued
: TAC+: 192.168.10.4 ESTAB id=3392702625 wrote 27 of 27 bytes
: TAC+: 192.168.10.4 req=6257CD64 Qd id=3392702625 ver=192 –
: TAC+: handle=0×0 (NONE)expire=4
AUTHEN/CONT sent
: TAC+: 192.168.10.4 ESTAB read=12 wanted=12 alloc=55 got=12
: TAC+: 192.168.10.4 ESTAB read=18 wanted=18 alloc=55 got=6
: TAC+: 192.168.10.4 received 18 byte reply for 6257CD64 –
: TAC+: id=3392702625
: TAC+: req=6257CD64 Tx id=3392702625 ver=192 –
: TAC+: handle=0×0 (NONE) expire=3
AUTHEN/CONT processed
: TAC+: periodic timer stopped (queue empty)


Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.