Cisco R/S Configuration prepare cisco device for tacacs and test

  1. Homepage
  2. Documentation
  3. Device Configuration
  4. Cisco Systems
  5. Cisco IOSv12 R/S
  6. Cisco R/S Configuration

Add Cisco Router/Switch to TacacsGUI. IOS 12.x Configuration

Section Content

Cisco Device Configuration

Prepare a device.

conf t
interf eth0/0
  ip address interface ip address network mask
  no shut
  exit
ip route 0.0.0.0 0.0.0.0 default gateway;!in case if tacacsgui inside of another network
exit

Test communication to tacacs server.

ping 10.6.20.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.20.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Tacacs Server Configuration

conf t
aaa new-model
tacacs-server host tacgui ip address key preshared key
aaa authentication login tacgui group tacacs+ local
aaa authentication enable default group tacacs+ enable
!aaa authorization exec default group tacacs+ local ;!be careful you can lose the access right
!aaa authorization commands 0 default group tacacs+ local ;!be careful you can lose the access right
!aaa authorization commands 15 default group tacacs+ local ;!be careful you can lose the access right
aaa accounting exec default
  action-type start-stop
  group tacacs+
aaa accounting commands 0 default
  action-type start-stop
  group tacacs+
aaa accounting commands 15 default
  action-type start-stop
  group tacacs+

line vty 0 4
  login authentication tacgui
  transport input ssh
  exit

Test AAA Settings

Run the test.

router_12#test aaa group tacacs+ user12 123123 legacy ;!correct user
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

test aaa group tacacs+ user12 cisco123 legacy ;!user with wrong password
Attempting authentication test to server-group tacacs+ using tacacs+
Authentication request returned status: 5

Auth with Tacacs user

In the example below user can execute any commands except show crypto isacmp sa and show crypto ipsec sa

login as: user12
Using keyboard-interactive authentication.
Welcome  Home! ;!Welcome message, it was preconfigured inside of device group
Password:
Using keyboard-interactive authentication.
MOTD! ;!Message of the Day, it was preconfigured inside of device group

router_12#sh ver
Cisco IOS Software, Linux Software (), Experimental Version 12.4()
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 08-Apr-09 02:09 by yuiu
...

router_12#sh crypto isakmp sa ;!command restricted by the Command Set
Bad Command ;!preconfigured message for deny

router_12#sh crypto ipsec sa
Bad Command ;!preconfigured message for deny

router_12#sh crypto key mypubkey rsa ;!command not restricted
% Key pair was generated at: 19:11:19 UTC Dec 14 2017
Key name: router_12.tacacsgui.com
 Storage Device: private-config
 Usage: General Purpose Key
 Key is not exportable.
...
Author: Alexey Mochalin; Created at: 2018-12-06 19:43:52; Updated at: 2018-12-07 20:53:55