Cisco R/S Configuration prepare cisco device (ios version 15.x) for tacacs and test

  1. Homepage
  2. Documentation
  3. Device Configuration
  4. Cisco Systems
  5. Cisco IOSv15 R/S
  6. Cisco R/S Configuration

Add Cisco Router/Switch to TacacsGUI. IOS 15.x Configuration

Section Content

Cisco Device Configuration

Prepare a device.

conf t
interf eth0/0
  ip address interface ip address network mask
  no shut
  exit
ip route 0.0.0.0 0.0.0.0 default gateway;!in case if tacacsgui inside of another network
exit

Test communication to tacacs server.

ping 10.6.20.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.20.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Tacacs Server Configuration

conf t
aaa new-model
tacacs server tacgui
 address ipv4 tacgui ip address
 key preshared key
aaa authentication login tacgui group tacacs+ local
aaa authentication enable default group tacacs+ enable
!aaa authorization config-commands ;!be careful you can lose the access right
!aaa authorization exec default group tacacs+ local ;!be careful you can lose the access right
!aaa authorization commands 0 default group tacacs+ local ;!be careful you can lose the access right
!aaa authorization commands 15 default group tacacs+ local ;!be careful you can lose the access right
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

line vty 0 4
  login authentication tacgui
  transport input telnet ssh
  exit

Test AAA Settings

Run the test.

test aaa group tacacs+ user15 123123 legacy ;!correct user
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

test aaa group tacacs+ user15 cisco123 legacy ;!user with wrong password
Attempting authentication test to server-group tacacs+ using tacacs+
Authentication request returned status: 5

Auth with Tacacs user

In the example below user can execute any commands except show crypto isacmp sa and show crypto ipsec sa

login as: user15
Using keyboard-interactive authentication.
Welcome  Home! ;!Welcome message, it was preconfigured inside of device group
Password:
Using keyboard-interactive authentication.
MOTD! ;!Message of the Day, it was preconfigured inside of device group

router_15#sh ver
Cisco IOS Software, Linux Software (), Version 15.4(2)T4
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
...

router_15#sh crypto isakmp sa ;!command restricted by the Command Set
Bad Command ;!preconfigured message for deny

router_15#sh crypto ipsec sa
Bad Command ;!preconfigured message for deny

router_15#sh crypto key mypubkey rsa ;!command not restricted
% Key pair was generated at: 22:29:30 UTC Nov 28 2018
Key name: router_15.tacacsgui.local
Key type: RSA KEYS
 Storage Device: private-config
...
Author: Alexey Mochalin; Created at: 2018-12-06 19:48:16; Updated at: 2018-12-07 21:24:56