I talked about tac_plus here which talks about how to build and configure TACACS+ server. In this blog post, I will cover how to configure AAA on Cisco routers and switches that worked in conjunction with the tac_plus covered in the previous blog.
Backup Local Account
I think the first important step before enabling AAA on Cisco routers and switches is to create a backup local account. Though, one could also configure the device to just use the enable secret as a way to log in. I personally prefer the local account.
username backup password strongpasswordPointing Cisco device to TACACS+ server
Once local user account is configured, you also need to point your networking devices to the TACACS+ server.
tacacs-server host 192.168.10.100
tacacs-server host 192.168.10.101
!
tacacs-server directed-request
tacacs-server key tacacskey123Configuring AAA
Now, you’re going to configure the AAA to our networking devices. Start by enabling AAA in the global configuration mode
aaa new-modelThese two lines enable authentication part and will tell our networking devices to use TACACS first before using local account. Should both of your TACACS+ servers go down, allow local user account to be used.
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enableThese commands enable the authorizing commands for the user or group. In some TACACS+ implementation, you do not need to use aaa authorization commands 0 default group tacacs+ none but for our implementation, we’re going to include it.
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa authorization config-commandsThese commands will start recording what commands are being issued to our networking devices. If you do not have a tool for tracking configuration changes like RANCID, then this can be a valuable tool to see what was done. However, reading the accounting log in the TACACS+ is messy. I suggest you implement RANCID if the organization does not have tools like AlterPoint Network Authority or Solarwinds Network Configuration Manager.
aaa accounting update newinfo periodic 5
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting send stop-record authentication failure
aaa accounting network default start-stop group tacacs+
aaa session-id commonNow, we need to pick a source interface on how to talk to our TACACS+ server. There are scenarios where our routers and/or multilayer switches have two or more links going to our data center, so using a loopback is always a good idea. For layer two switches, our management VLAN interface will be just fine.
ip tacacs source-interface loopback0Congratulations, you just accomplished one part of hardening your organization’s networking devices!
Are you ready to improve your network security?
Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.
You might also like to read
How to configure tac_plus (TACACS+ daemon) on Ubuntu Server
TACACS+ (tac_plus daemon) ACL
Adding two-factor authentication (2FA) to TACACS+
Want to learn more about AAA?
AAA Identity Management Security
Disclosure
NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.
