Example: Configuring the switch for Remote AAA with TACACS+
Prerequisites
TACACS+ servers configured in general according to the information in Remote AAA TACACS+ server configuration requirements. The exact settings appropriate to your environment will vary.
Logged in to the switch with Administrator privilege and in the
configcontext.
Procedure
-
Configure the global TACACS+ passkey (shared secret) as "xjkW74932qX3j_$"
switch(config)# tacacs-server key plaintext xjkW74932qX3j_$ switch(config)#
-
Add these configuration details for two remote TACACS+ servers:
Server 1 with IPv4 address 10.0.0.2, on the management interface (belonging to VRF “mgmt”), using the default PAP protocol.
Server 2 with IPv4 address 4.0.0.2, on the data interface 1/1/4 (belonging to VRF “default”), using the CHAP protocol.
switch(config)# tacacs-server host 10.0.0.2 vrf mgmt switch(config)# tacacs-server host 4.0.0.2 auth-type chap switch(config)#
-
Create a TACACS+ group named
tac_grp1, assign TACACS+ server 10.0.0.2 to the group, show the group information.NOTE:The default TACACS+ group named
tacacsincludes every TACACS+ server regardless of whether any TACACS+ servers are also assigned to a user-defined TACACS+ group.switch(config)# aaa group server tacacs tac_grp1 switch(config-sg)# server 10.0.0.2 vrf mgmt switch(config-sg)# exit switch(config)# switch(config)# do show aaa server-groups tacacs ******* AAA Mechanism TACACS+ ******* -------------------------------------------------------------------------------- GROUP NAME | SERVER NAME | PORT | VRF | PRIORITY -------------------------------------------------------------------------------- tac_grp1 | 10.0.0.2 | 49 | mgmt | 1 -------------------------------------------------------------------------------- tacacs (default) | 10.0.0.2 | 49 | mgmt | 1 tacacs (default) | 4.0.0.2 | 49 | default | 2 -------------------------------------------------------------------------------- switch(config)#
-
Define the authentication sequence list so that the new TACACS+ group is first, the default TACACS+ group is second, and local is third. Show the authentication sequence.
switch(config)# aaa authentication login default group tac_grp1 tacacs local switch(config)# switch(config)# do show aaa authentication AAA Authentication: Fail-through : Disabled Default Authentication for All Channels: --------------------------------------------------------------------------------- GROUP NAME | GROUP PRIORITY --------------------------------------------------------------------------------- tac_grp1 | 0 tacacs | 1 local | 2 --------------------------------------------------------------------------------- switch(config)#
-
Define the authorization sequence list with two TACACS+ server groups plus local RBAC. Show the authorization sequence.
switch(config)# aaa authorization commands default group tac_grp1 tacacs none switch(config)# switch(config)# do show aaa authorization Default command Authorization for All Channels: --------------------------------------------------------------------------------- GROUP NAME | GROUP PRIORITY --------------------------------------------------------------------------------- tac_grp1 | 0 tacacs | 1 none | 2 --------------------------------------------------------------------------------- switch(config)#
-
Define the accounting sequence list with two TACACS+ server groups. Show the accounting sequence.
switch(config)# aaa accounting all default start-stop group tac_grp1 tacacs switch(config)# switch(config)# do show aaa accounting AAA Accounting: Accounting Type : all Accounting Mode : start-stop Default Accounting for All Channels: --------------------------------------------------------------------------------- GROUP NAME | GROUP PRIORITY --------------------------------------------------------------------------------- tac_grp1 | 0 tacas | 1 ---------------------------------------------------------------------------------