• Skip to main content
  • Skip to footer

NetworkJutsu

Networking & Security Services | San Francisco Bay Area

  • Blog
  • Services
  • Testimonials
  • About
    • About Us
    • Terms of Use
    • Privacy Policy
  • Contact Us

How to configure AAA on Cisco router/switches

10/01/2011 By Andrew Roderos Leave a Comment

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

I talked about tac_plus here which talks about how to build and configure TACACS+ server. In this blog post, I will cover how to configure AAA on Cisco routers and switches that worked in conjunction with the tac_plus covered in the previous blog.

Backup Local Account

I think the first important step before enabling AAA on Cisco routers and switches is to create a backup local account. Though, one could also configure the device to just use the enable secret as a way to log in. I personally prefer the local account.

username backup password strongpassword

Pointing Cisco device to TACACS+ server

Once local user account is configured, you also need to point your networking devices to the TACACS+ server.

tacacs-server host 192.168.10.100
tacacs-server host 192.168.10.101
!
tacacs-server directed-request
tacacs-server key tacacskey123

Configuring AAA

Now, you’re going to configure the AAA to our networking devices. Start by enabling AAA in the global configuration mode

aaa new-model

These two lines enable authentication part and will tell our networking devices to use TACACS first before using local account. Should both of your TACACS+ servers go down, allow local user account to be used.

aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable

These commands enable the authorizing commands for the user or group. In some TACACS+ implementation, you do not need to use aaa authorization commands 0 default group tacacs+ none but for our implementation, we’re going to include it.

aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization config-commands

These commands will start recording what commands are being issued to our networking devices. If you do not have a tool for tracking configuration changes like RANCID, then this can be a valuable tool to see what was done. However, reading the accounting log in the TACACS+ is messy. I suggest you implement RANCID if the organization does not have tools like AlterPoint Network Authority or Solarwinds Network Configuration Manager.

aaa accounting update newinfo periodic 5
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting send stop-record authentication failure
aaa accounting network default start-stop group tacacs+
aaa session-id common

Now, we need to pick a source interface on how to talk to our TACACS+ server. There are scenarios where our routers and/or multilayer switches have two or more links going to our data center, so using a loopback is always a good idea. For layer two switches, our management VLAN interface will be just fine.

ip tacacs source-interface loopback0

Congratulations, you just accomplished one part of hardening your organization’s networking devices!

Are you ready to improve your network security?

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

ENGAGE US

You might also like to read

How to configure tac_plus (TACACS+ daemon) on Ubuntu Server
TACACS+ (tac_plus daemon) ACL
Adding two-factor authentication (2FA) to TACACS+

Want to learn more about AAA?

AAA Identity Management Security

Disclosure

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

  • Share on Twitter Share on Twitter
  • Share on Facebook Share on Facebook
  • Share on LinkedIn Share on LinkedIn
  • Share on Reddit Share on Reddit
  • Share via Email Share via Email

Filed Under: Security Tagged With: AAA, Cisco, IOS, Network Security, tac_plus, TACACS+

About Andrew Roderos

I am a network security engineer with a passion for networking and security. Follow me on Twitter, LinkedIn, and Instagram.

Footer

WORK WITH US

Schedule a free consultation now!

LET’S TALK

Copyright © 2011–2023 · NetworkJutsu · All Rights Reserved · Privacy Policy · Terms of Use