In today’s post I will showw how you can do a basic configuration of a TACACS+ Linux server and how to enable the AAA on the networking device.
To start with AAA, stands for Authentication, Authorization and Accounting. The authentication is related to the login process: users and their passwords, authorization describes what each of the users is allowed to do on the device and the accounting part logs what commands the users have issued on the device. All these are implemented as a set of attributes stored in a database that can be located locally on the device or hosted remotely on a TACACS+ or RADIUS server.
Installing TACACS+ Server:
I am using Debian Squeeze as OS. TACACS+ comes in Squeeze repositories so installing it is as simple as :
Its config file is located at /etc/tacacs+/tac_plus.conf. In order to start, stop, restart it you can use the init scripts.
Let’s do a basic configuration and add 2 users on the database: admin with full privileges and user having restricted access:
Now let’s get to the client side - the Cisco router. We first have to tell the router that it should use TACACS for authentication and the IP address of the server with the authentication key to the server.
Next we will configure the authentication methods:
Now let’s get to the authorization part. We will set it for both privilege level 1 and 15 commands
In order to have accouting in place you also need to set the accounting log file location on the server:
Troubleshooting AAA issues can be done using the debug aaa command. Below is an example of the authorization debug for user when trying to enter configuration mode - which is not allowed and when issuing the show ip int brief command allowed: