Cisco (Routers, Switches, ASA, Nexus, WLC)

Contents

• Cisco Router
• Cisco Switch
• Cisco ASA
• Cisco Nexus
• Cisco WLC

Cisco Router

Router with IOS 12.4 and below

tacacs-server host 10.6.20.10 # this ip used as example
tacacs-server key TACACS_KEY
aaa new-model
aaa authentication login tacGUI group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local 
aaa authorization commands 0 default group tacacs+ local 
aaa authorization commands 15 default group tacacs+ local 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

line vty 0 4
  login authentication tacGUI
  transport input ssh

Router with IOS 15.x and higher

tacacs server tacGui
 address ipv4 10.6.20.10 # this ip used as example
 key TACACS_KEY
aaa new-model
aaa authentication login tacGUI group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local 
aaa authorization commands 0 default group tacacs+ local 
aaa authorization commands 15 default group tacacs+ local 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

line vty 0 4
 login authentication tacGUI
 transport input ssh

Cisco Switch

Switch with IOS 12.4 and below

tacacs-server host 10.6.20.10 # this ip used as example
tacacs-server directed-request
tacacs-server key TACACS_KEY
aaa new-model
aaa authentication login tacGUI group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local 
aaa authorization commands 0 default group tacacs+ local 
aaa authorization commands 15 default group tacacs+ local 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

line vty 0 4
  login authentication tacGUI
  transport input ssh

Cisco ASA and Tacacs

Cisco ASA and Tacacs configuration

aaa-server tplus protocol tacacs+ # set the aaa-server name
aaa-server tplus (netmgmt) host 10.6.20.10 # set the interface and ip address for the defined above aaa-server 
 key PSK # set the password
aaa authentication serial console LOCAL # auth for the serial console, better set as local
aaa authentication ssh console tplus LOCAL
aaa authentication enable console tplus LOCAL
aaa accounting command tplus

Cisco Nexus (NX-OS) and Tacacs

Cisco Nexus (NX-OS) and Tacacs configuration

feature tacacs+
ip tacacs source-interface loopback 0

tacacs-server host 10.6.20.10 key PSK
aaa group server tacacs+ tplus
    server 10.6.20.10

aaa authentication login console local
aaa authentication login default group tplus local
aaa authorization config-commands default group tplus local
aaa authorization commands default group tplus local

Also be ware that you have checked this parameter for Tacacs User – Clone the login password. You can find it on tab Extra Options inside the user settings.

If checked user will have additional parameter pap, it clones the parameter login. In the configuration it will look like:

for local user

OR

if user uses MAVIS module (like OTP or SMS)

Cisco WLC and Tacacs

Cisco WLC and Tacacs configuration

config tacacs auth add 1 10.6.20.10 49 ascii TACACS_KEY
config tacacs auth add 2 10.6.20.10 49 ascii TACACS_KEY
config tacacs athr add 1 10.6.20.10 49 ascii TACACS_KEY
config tacacs athr add 2 10.6.20.10 49 ascii TACACS_KEY
config tacacs aссt add 1 10.6.20.10 49 ascii TACACS_KEY
config tacacs aссt add 2 10.6.20.10 ascii TACACS_KEY
config aaa auth mgmt tacacs local

Also you have to add this service to user (you can do that manually):

service = ciscowlc {
    set role1 = ALL
} 

User should looks like this: