Home > AAA TACACS+ and RADIUS Tutorial

AAA TACACS+ and RADIUS Tutorial

October 18th, 2018 Go to comments

AAA Configuration

The following steps are required to configure AAA:

1. Enable the “new model” of AAA.
2. Configure the server(s) to be used for AAA (e.g. TACACS+ or RADIUS servers).
3. Define authentication and authorization method lists.
4. Enforce AAA authentication on the relevant lines (e.g. console and VTY lines).

Example:

In this example we will do an Authentication configuration so that the users are authenticated when telnet to the device:

1. Globally enables AAA on a device:

Switch(config)#aaa new-model

2. We are going to configure the server to be used for AAA and the key; note that the key used is the same key that was configured on the RADIUS server.

Switch(config)#radius-server host 192.168.1.2 key MySecretP@ssword

In the above command we don’t specify the ports used for RADIUS authentication and accounting so it will use the default values of 1645 and 1646, respectively (or we can specify them via the “radius-server host 192.168.1.2 auth-port 1645 acct-port 1646 key MySecretP@ssword” command). The full syntax of above command is:

Switch(config)# radius-server host { hostname | ip-address } [ auth-port port-number ] [ acct-port port-number ] [ timeout seconds ] [ retransmit retries ] [ key string] [alias {hostname | ip address}]

3. We will activate authentication for logins to the device and specify that RADIUS is the preferred method but we should include the local user database as a fall back if RADIUS becomes unavailable. Note that users in the local database cannot be used if the user doesn’t exist in RADIUS, it will only fall back if the RADIUS server is offline.

Switch(config)#aaa authentication login default group radius local

This command is broken down as follows:

+ The ‘aaa authentication’ part is simply saying we want to configure authentication settings.
+ The ‘login’ is stating that we want to prompt for a username/password when a connection is made to the device.
+ The ‘default’ means we want to apply for all login connections (such as tty, vty, console and aux). If we use this keyword, we don’t need to configure anything else under tty, vty and aux lines. If we don’t use this keyword then we have to specify which line(s) we want to apply the authentication feature. An example of not using the ‘default’ keyword is shown in step 4 below.
+ The ‘group radius local” means all users are authenticated using RADIUS servers (the first method). If the RADIUS servers don’t respond (unreachable), then the router’s local database is used (the second method). But notice that if the RADIUS server is reachable while the user has not configured on it, it will not fallback and try to search in the local database. It will display% Authentication failed message.

Note: If we don’t have the ‘local’ keyword (only ‘aaa authentication login default group radius’ command then the authentication will fail if the AAA server does not reply to the authentication request as there is no fallback authentication method)

For local authentication to work we need to create a local user. To create a new user, with password stored in plain text:

Switch(config)#username User1 password CCNA_cisco

But having passwords in plain text isn’t a good idea! The below command is better to create a new user, with password stored in encrypted text:

Switch(config)#username test2 secret Pa55w0rd

specify the RADIUS server and a group to be used.

4. In step 3, if we don’t use the ‘default’ login method list, for example:

Switch(config)#aaa authentication login MY_AUTHEN_GROUP group radius local

Then we have to configure the same group (MY_AUTHEN_GROUP in this case) to the specific line(s) with the “login authentication list_name” command. For example we want to apply to VTY lines (for telnet):

Switch(config)#line vty 0 4
Switch(config)# login authentication MY_AUTHEN_GROUP

Note:
+ We can configure different usernames/passwords on the local device and the remote AAA server but for normal users we should configure same usernames/passwords on both devices so that the transition (in case the remote AAA server fails) is transparent to them.
+ Use the aaa authentication global configuration command to define method lists for RADIUS authentication
+ Use the aaa authorization global command to authorize specific user functions
+ Use the aaa accounting command to enable accounting for RADIUS connections

So in conclusion this is all the config we need for a simple authentication using AAA:

Switch(config)#username test2 secret Pa55w0rd
Switch(config)#aaa new-model
Switch(config)#radius-server host 192.168.1.2 key MySecretP@ssword
Switch(config)#aaa authentication login MY_AUTHEN_GROUP group radius local
Switch(config)#line vty 0 4
Switch(config)# login authentication MY_AUTHEN_GROUP

A simple TACACS+ configuration for authentication would be:

aaa new-model
aaa authentication login default group tacacs+ local
tacacs-server host 10.10.10.1
tacacs-server key login@pass!

With this configured, when logging in, the password supplied will be attempted to be verified by the TACACS+ server before access is granted. If the server is unavailable/unreachable, then the switch will fall back to using the local authentication database.

In the next part we will see some examples of configuring AAA.

Comments (34) Comments
Comment pages
1 2 3 4228
  1. Anonymous
    October 15th, 2019

    ehab03291 at gmail.com

  2. ehab abdallah
    October 15th, 2019

    Please, can anyone send me 200-125 test dumps Please ehab03291 at gmail.com

  3. 9tut am greatful
    October 17th, 2019

    please share new update dumps for ccna rns 200-125 any one have please share with me on fredbons zero zero seven at gmail dot com

  4. irfan
    October 20th, 2019

    i have my ccna exam this 30th. any one please tell me which labs are coming during these days.
    share me on this iak4614(at)outlook(dot)com

  5. Anonymous
    October 20th, 2019

    If any one have latest Dumps for ccna 200-125 please share with me. I have exam on 30th on this month. iak4614(at)outlook(dot)com

  6. dmitry
    October 24th, 2019

    Pls send me dumps 200-125, my mail {email not allowed}

  7. ehab
    November 5th, 2019

    i’m taking the icnd1 exam soon, can anybody send me icnd1 dumps, that would be amazing, tamem2010ar @ gmail . com

  8. Nector
    November 13th, 2019

    Here is what you need dwz.win/qRc

  9. Anonymous
    November 19th, 2019

    pls am in dear need of recent dumps for CCNA 200-125 exams is in less than 1 week osuntobs (at) gmail

  10. Anonymous
    November 20th, 2019

    Please share the latest dumps for ccna 200-125 to {email not allowed}

  11. martial
    November 26th, 2019

    please help me share the lastest dump for ccna 200-125

  12. Anonymous
    December 3rd, 2019

    share please your latest dump for ccna 200-125, cbads @ hotmail . com

  13. Anonymous
    December 9th, 2019

    hi everyone, hopefully someone can help my exam, Please sned my latest dump of 200-125 exam at ehrgs30atgmaildotcom

  14. Anonymous
    December 11th, 2019

    I have my exam in a week and would like the latest dumps for the 200-125 to test my knowledge.
    cynthia.fritz123 at gmail dot com

  15. Mkzozo
    December 12th, 2019

    Passed my exam yesterday. sims ipv6 Ospf, access-list and a lot of drag and drop

  16. Tboy
    December 15th, 2019

    Please share your latest dumps with me tosinosu @ yahoo.com

  17. azul
    December 15th, 2019

    can anyone share the latest dumps with me. masmusta at hotmail dot com

  18. Thuraine
    December 22nd, 2019

    hi everyone, please help me share the latest dump for ccna 200-125 {email not allowed}

  19. Anonymous
    December 22nd, 2019

    hi everyone, please help me share the latest dump for ccna 200-125 thurain568 at gmail . com

  20. Pecchi
    December 25th, 2019

    Anyone may help me and share the latest dump for ccna at — pecchiacchio @ gmail . com

  21. Anonymous
    December 25th, 2019

    need latest ccna dump plz. masazmus at yahoo dot fr

  22. yashodha Pramudini
    December 29th, 2019

    please share latest dump with me too… {yashodharajagalgoda @ gmail .com }

  23. Umer
    January 1st, 2020

    if anyone have the latest ccna dumps please send me my mail is umerraheem6gmail.com

  24. fahad
    January 2nd, 2020

    if anyone have the latest CCNA dumps in VCE please send me my mail is {email not allowed}

  25. fahad
    January 2nd, 2020

    if anyone have the latest CCNA dumps in VCE please send me my mail is moxz757 @ gmail.com

  26. Wesly West
    January 4th, 2020

    Please share the latest dumps for ccna 200-125 to {email not allowed}.

  27. Wesly West
    January 4th, 2020

    Please share the latest dumps for ccna 200-125 to wesly.w3st at gmail.com

  28. SmartWave
    January 6th, 2020

    Please share the latest dumps for ccna 200-125 to {email not allowed}

  29. SmartWave
    January 6th, 2020

    Please share the latest dumps for ccna 200-125 to rebeccaowhigho @ gmail.com

  30. Gihan
    January 7th, 2020

    Please share the ccna latest dumps with me
    Rodgihan @ gmail.com

  31. Ilknur.N
    January 8th, 2020

    I sell ccna latest dump (jan2020) exam(vce file + software) price is 10$(not give free please dont write about it) write me ilknur(dot)nasirzadeh(at) gmail(dot) com

  32. b1zo
    January 10th, 2020

    Please share the latest dumps for ccna 200-125
    skupljamparezalondon @ gmail . com

  33. Anonymous
    January 16th, 2020

    Please share the last dumps for 200-105 ICND2 {email not allowed}

  34. Anonymous
    January 16th, 2020

    Please share the last dumps for 200-105 ICND2 mail4melg @ gmail . Com

Comment pages
1 2 3 4228
Add a Comment