How to Configure AAA on Cisco Router to Authenticate with TACACS+ Server

What is AAA on Cisco IOS?

Authentication, Authorization, and Accounting also know as AAA. You can configure your Cisco router to use AAA for user authentication, authorization, and accounting. Usually the AAA is used with external servers running the TACACS+, TACACS, or RADIUS protocol. In this example we are using external server running with TACACS+ protocol. After AAA implementation we don’t require separate password for Telnet, Http, Https, SSH, Console…Etc. All login attempts will be authenticated using the same credential by TACACS+ server and it also provides increased flexibility, control, scalability and multiple backup systems.

AAA Configuration steps on Cisco Router to authenticate with external TACACS+ Server:

1. Turn-on AAA on the Router using aaa new-model’ command and specify the TACACS+ server and secret key

Cisco-Router(config)#aaa new-model
Cisco-Router(config)#tacacs-server host
Cisco-Router(config)#tacacs-server host
Cisco-Router(config)#tacacs-server key <tacacs-server-key>

Please note that the tacacs key must be the same as the secret tacacs key that you used when configuring the server. You can also configure a message banner to display when a user is trying to login into the server.

2. Create a local user accounts on the Router for fallback in case the TACACS+ server is down.

Cisco-Router(config)#username cisco privilege 15 password cisco@123
Cisco-Router(config)#username  admin privilege 15 password cisco@123

3. Now we define how to login authenticate. We use the default group is TACACS+ and second is local database  to authenticate login to the Router and if the TACACS+ fails we can use the use the local user accounts which we have created in earlier step.

Cisco-Router(config)#aaa authentication login default group TACACS+ local

4. Now we define for enable mode, we will use the default group TACACS+. We don’t use the local since locally defined user will have already had the privilege level defined to get in the enable mode.

Cisco-Router(config)#aaa authentication enable default group TACACS+ enable

5. Check authorization for all commands in config mode with TACACS+. The Command allows what all configuration commands are authorized for the user logged in for e.g., if the user types – config terminal, then user will be allowed to  change the banner or interface descriptions, but prohibit him the other commands such as – shutdown or enable.

Cisco-Router(config)#aaa authorization config-commands

6. In the below command “if-authenticated” means that if we are authenticated we will immediately be dropped into exec (enable) mode

Cisco-Router(config)#aaa authorization exec default group TACACS+ local if-authenticated

7. The recommended best practice from Cisco is that authorization be configured to each level of user access to network devices. So in this command we are authorizing level 1 user. This would also be the same as non-enable mode. A fallback method should be configured such as a local user ( Step 2). This also requires the use of TACACS+.

Cisco-Router(config)#aaa authorization commands 1 default group TACACS+ if-athenticated

8. We are also providing authorization for level 15 users against TACACS+. Incase TACACS+ is not available then the local user account is used.  If authenticated the user will immediately be gets into exec or enable mode.

Cisco-Router(config)#aaa authorization commands 15 default group TACACS+ local if-authenticated

9. For accountability of the use of privileged commands on the router enable AAA Accounting for each level of commands.

Cisco-Router(config)#aaa accounting exec default start-stop group TACACS+

10. This command provides accountability or tracking of user activity even if they have only logged in. Its optional, on may skip it

Cisco-Router(config)#aaa accounting commands 1 default start-stop group TACACS+

11. This command provides accounting of user with privilege level 15

Cisco-Router(config)#aaa accounting commands 15 default start-stop group TACACS+

Filed Under: Tacacs+/Radius


About the Author:

RSSComments (2)

Leave a Reply | Trackback URL

  1. Krish says:

    Thanks for detailed explanation about all the commands to configure AAA on Cisco Router to authenticate with Tacacs+ server.

    You can also configure customized messages like below…..

    Cisco-Router#config t
    Cisco-Router(config)#aaa new-model
    Cisco-Router(config)#aaa authentication banner *your message*
    Cisco-Router(config)#aaa authentication fail-message *the fail message*

  2. Sagar says:

    Pleasure to read AAA configuration with Tacacs+ server on Cisco Router….


Leave a Reply

If you want a picture to show with your comment, go get a Gravatar.