A reader question about TACACS+
Joe the Network Admin (not the plumber) asks about The Quick and Dirty, Cut and Paste TACACS+ install:
I am in the process of setting up TACACS+ across our network. Could you please explain the “default group” part of the TACACS commands. I setup a group in ACS called network admins which is mapped to an active directory group. I want to permit only the users in this group to be able to login to our network infastructure. Would I replace the “default group” part of the command with my network admin group name. Any tips you could give, would be great. Thanks…..Great website!!!
Well Joe, let's see if we can't get you an answer. Configuring AAA on Cisco devices is always a pain in my ass, and I feel your pain in setting it up across your network, but it will be for the best.
You are a little mistaken in the command structure for AAA, so I'll try to break it down. After you have enabled AAA globally, you neeed to define the authentication method lists and apply them. There are 5 authentication methods: local, group TACACS+, group RADIUS, line, or enable authentication. So the "login default group tacacs+ local" actually breaks down to "login, default, group tacacs+, local". Let me break down the command "aaa authentication login default group tacacs+ local".
aaa authentication login
default: Used to create a default that is automatically applied to all lines and interfaces to specify the method or sequence of methods used for authentication.group group name: Used to specify the use of a AAA server. The group radius and group tacacs+ methods refer to previously defined RADIUS or TACACS+ servers. The group-name string is used to specify a predefined group of RADIUS or TACACS+ servers for authentication.
local: The local username and password database is used.
To put that simply, you're telling the device that the default way to login is to use TACACS+ first, and if the TACACS+ server isn't available, to use the local database. This goes the same for all of the other commands. There is no "default group", but rather you're telling the device that the "default" action is to use "group tacacs+".
I hope that clears it up for you!
Oh, and I almost forgot. If you only want to allow your admins access to your devices, you do that through the Cisco Secure ACS administration tool (the web admin page), not on the devices themselves.
One last tidbit... TACACS+ uses TCP port 49.
And don't forget, if you have any questions that you want answered, don't hesitate to shoot an email to Greg@GregLedet.net or leave a comment on the post you have questions about! This goes for everyone!
| Facts in this post were double checked in "Chapter 4 - Configuring AAA" of the CCNA Security Official Exam Certification Guide: |
-
http://cnn.mygamesok.com/wow/101/200811/process-server-5.html process server | CNN.com
-
http://sun.mygamesok.com/wow/101/200811/radius-server-3.html radius server | SUN.com
-
http://www.kerago.com Charlie
Categories
- How To's (7)
- Hurricanes (60)
- Networking (40)
- Other stuff (10)
Blogroll
- Charlie Moreno Web Design
- Fark.com
- Greenhat security
- GregoryLedet.com
- JefTek.com
- Packet Life
- Shannon Bray
- Shortest Path First
Social Networking
Recent Comments
- Budweiser500 on How to get past the new isoHunt Lite and get to the old original site
- CD Printing on Ubuntu + Netgear WGPS606 = Wireless printing!
- Sam_isp on Port Forwarding on the Cisco ASA in 8.3 from the CLI made easy
- CD Printing on Problems with your D-Link DP-300U?
- Greg Ledet on HTC EVO 4G, Froyo 2.2 Final release, Unrevoked3 and ROOT
Meta
Who's Online
10 visitors online now
2 guests, 8 bots, 0 members
Map of Visitors
Powered by Visitor Maps