Most enteprise companies authenticate network users via TACACS+ to a Cisco ACS Server. This is useful for single sign-on, management and tracking. This lab will discuss and demonstrate the configuration of a TACACS+ AAA Authentication List.
No network engineer wants to spend countless hours of time maintaining local user accounts on hundreds of Cisco devices. This issue was foreseen many many years ago and resolved with AAA. With AAA you can configure the Cisco device rather it be a router or switch to authentication to a centralized user authentication database. Cisco sells a solution called the Cisco Secure Access Server which is commonly used in networks larger then 50 nodes to provide centralized authentication, authorization and accounting services for network devices.
Please note that the contents found in this lab are not part of the CCNA (640-802) Exam objectives, however this material can be found on the new CCNA Security certification; (Exam: 840-553 – IINS). This lab was created to provide you a basic understanding of AAA; that of which is commonly used in production networks for authentication, authorization and accounting.
Step 1. – First you need to configure the TACACS server host address and key, this is done by executing the tacacs-server host x.x.x.x key keygoeshere as shown below;
Router con0 is now available Press RETURN to get started. Router>enable Router#configure terminal Router(config)#tacacs-server host 10.1.1.20 key P@s$W0rD!
Step 2. – Now configure the AAA login authentication list name CONSOLE_AUTH to authenticate to the tacacs server first and fail back to the local user database in the event of a server failure. As previously shown in Lab 3-2 the authtype was just local. The AAA login authentication list follows the authtype in order from first to last in the syntax. To configure the list to authenticate to the tacacs server, add group tacacs+ prior to local
To complete the 2nd objective; authenticate to the tacacs server then failback to the local database when the server fails, execute the Lab 3-2; login authentication CONSOLE_AUTH with group tacacs local appended to it as shown below;
Router(config)#line con 0 Router(config-line)#login authentication CONSOLE_AUTH group tacacs local
Router con0 is now available Press RETURN to get started. User Access Verification Username: john Password: Router>