Полезная информация

cc/td/doc/product/software/ios120/12cgcr/secur_c
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Configuring TACACS+

Configuring TACACS+

Cisco IOS software currently supports three versions of the Terminal Access Controller Access Control System (TACACS) security protocol, each one of which is a separate and unique protocol:

This chapter discusses how to enable and configure TACACS+. For information about the deprecated protocols TACACS or Extended TACACS, refer to the "Configuring TACACS and Extended TACACS" chapter.

For a complete description of the TACACS+ commands used in this chapter, refer to the "TACACS, Extended TACACS, and TACACS+ Commands" chapter. To locate documentation of other commands that appear in this chapter, use the command reference master index or search online.

TACACS+ Overview

TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network access server are available.

TACACS+ provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service---authentication, authorization, and accounting---independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.

The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service. The Cisco family of access servers and routers and the Cisco IOS user interface (for both routers and access servers) can be network access servers.

Network access points enable traditional "dumb" terminals, terminal emulators, workstations, personal computers (PCs), and routers in conjunction with suitable adapters (for example, modems or ISDN adapters) to communicate using protocols such as Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), Compressed SLIP (CSLIP), or AppleTalk Remote Access (ARA) Protocol. In other words, a network access server provides connections to a single user, to a network or subnetwork, and to interconnected networks. The entities connected to the network through a network access server are called network access clients; for example, a PC running PPP over a voice-grade circuit is a network access client. TACACS+, administered through the AAA security services, can provide the following services:

The authentication facility provides the ability to conduct an arbitrary dialog with the user (for example, after a login and password are provided, to challenge a user with a number of questions, like home address, mother's maiden name, service type, and social security number. In addition, the TACACS+ authentication service supports sending messages to user screens. For example, a message could notify users that their passwords must be changed because of the company's password aging policy.

The TACACS+ protocol provides authentication between the network access server and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between a network access server and a TACACS+ daemon are encrypted.

You need a system running TACACS+ daemon software to use the TACACS+ functionality on your network access server.

Cisco makes the TACACS+ protocol specification available as a draft RFC for those customers interested in developing their own TACACS+ software.


Note TACACS+, in conjunction with AAA, is a separate and distinct protocol from the earlier TACACS or extended TACACS, which are now deprecated. After AAA has been enabled, many of the original TACACS and extended TACACS commands can no longer be configured. For more information about TACACS or extended TACACS, refer to the "Configuring TACACS and Extended TACACS" chapter.

TACACS+ Operation

When a user attempts a simple ASCII login by authenticating to a network access server using TACACS+, the following process typically occurs:

    1. When the connection is established, the network access server will contact the TACACS+ daemon to obtain a username prompt, which is then displayed to the user. The user enters a username and the network access server then contacts the TACACS+ daemon to obtain a password prompt. The network access server displays the password prompt to the user, the user enters a password, and the password is then sent to the TACACS+ daemon.


Note TACACS+ allows an arbitrary conversation to be held between the daemon and the user until the daemon receives enough information to authenticate the user. This is usually done by prompting for a username and password combination, but may include other items, such as mother's maiden name, all under the control of the TACACS+ daemon.

    2. The network access server will eventually receive one of the following responses from the TACACS+ daemon:

    3. A PAP login is similar to an ASCII login, except that the username and password arrive at the network access server in a PAP protocol packet instead of being typed in by the user, so the user is not prompted. PPP CHAP logins are also similar in principle.

Following authentication, the user will also be required to undergo an additional authorization phase, if authorization has been enabled on the network access server. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization.

    4. If TACACS+ authorization is required, the TACACS+ daemon is again contacted and it returns an ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response will contain data in the form of attributes that are used to direct the EXEC or NETWORK session for that user, determining services that the user can access.

    Services include the following:

TACACS+ Configuration Task List

To configure your router to support TACACS+, you must perform the following tasks:

To configure TACACS+, perform the tasks in the following sections:

For TACACS+ configuration examples using the commands in this chapter, refer to the "TACACS+ Configuration Examples" section located at the end of the this chapter.

Identify the TACACS+ Server Host

The tacacs-server host command enables you to specify the names of the IP host or hosts maintaining a TACACS+ server. Because the TACACS+ software searches for the hosts in the order specified, this feature can be useful for setting up a list of preferred daemons.

To specify a TACACS+ host, use the following command in global configuration mode:
Command Purpose

tacacs-server host name [single-connection] [port integer] [timeout integer] [key string]

Specify a TACACS+ host.

Using the tacacs-server host command, you can also configure the following options:


Note The daemon must support single-connection mode for this to be effective, otherwise the connection between the network access server and the daemon will lock up or you will receive spurious errors.

Note Specifying the timeout value with the tacacs-server host command overrides the default timeout value set with the tacacs-server timeout command for this server only.

Note Specifying the encryption key with the tacacs-server host command overrides the default key set by the global configuration tacacs-server key command for this server only.

Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by uniquely configuring individual TACACS+ connections.

Set the TACACS+ Authentication Key

To set the TACACS+ authentication key and encryption key, use the following command in global configuration mode:
Command Purpose

tacacs-server key key

Set the encryption key to match that used on the TACACS+ daemon.


Note You must configure the same key on the TACACS+ daemon for encryption to be successful.

Specify TACACS+ Authentication

After you have identified the TACACS+ daemon and defined an associated TACACS+ encryption key, you need to define method lists for TACACS+ authentication. Because TACACS+ authentication is operated via AAA, you need to issue the aaa authentication command, specifying TACACS+ as the authentication method. For more information, refer to the "Configuring Authentication" chapter.

Specify TACACS+ Authorization

AAA authorization enables you to set parameters that restrict a user's network access. Authorization via TACACS+ may be applied to commands, network connections, and EXEC sessions. Because TACACS+ authorization is facilitated through AAA, you need to issue the aaa authorization command, specifying TACACS+ as the authorization method. For more information, refer to the "Configuring Authorization" chapter.

Specify TACACS+ Accounting

AAA accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming. Because TACACS+ accounting is facilitated through AAA, you need to issue the aaa accounting command, specifying TACACS+ as the accounting method. For more information, refer to the "Configuring Accounting" chapter.

TACACS+ AV Pairs

The network access server implements TACACS+ authorization and accounting functions by transmitting and receiving TACACS+ attribute-value (AV) pairs for each user session. For a list of supported TACACS+ AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix.

TACACS+ Configuration Examples

TACACS+ configuration examples in this section include the following:

TACACS+ Authentication Examples

The following example configures TACACS+ as the security protocol to be used for PPP authentication.

aaa new-model
aaa authentication ppp test tacacs+ local
tacacs-server host 10.1.2.3
tacacs-server key goaway
interface serial 0
  ppp authentication chap pap test

In this example:

The following example configures TACACS+ as the security protocol to be used for PPP authentication but instead of the method list "test," the method list, "default," is used.

aaa new-model
aaa authentication ppp default if-needed tacacs+ local
tacacs-server host 10.1.2.3
tacacs-server key goaway
interface serial 0
  ppp authentication default

In this example:

The following example creates the same authentication algorithm for PAP but calls the method list "MIS-access" instead of "default":

aaa new-model
aaa authentication pap MIS-access if-needed tacacs+ local
tacacs-server host 10.1.2.3
tacacs-server key goaway
interface serial 0
  ppp authentication pap MIS-access

In this example:

The following example shows the configuration for a TACACS+ daemon with an IP address of 10.2.3.4 and an encryption key of "apple."

aaa new-model
aaa authentication login default tacacs+ local
tacacs-server host 10.2.3.4
tacacs-server key apple

In this example:

TACACS+ Authorization Example

The following example configures TACACS+ as the security protocol to be used for PPP authentication using the default method list, and configures network authorization via TACACS+.

aaa new-model
aaa authentication ppp default if-needed tacacs+ local
aaa authorization network tacacs+
tacacs-server host 10.1.2.3
tacacs-server key goaway
interface serial 0
  ppp authentication default

In this example:

TACACS+ Accounting Example

The following example configures TACACS+ as the security protocol to be used for PPP authentication using the default method list, and configures accounting via TACACS+.

aaa new-model
aaa authentication ppp default if-needed tacacs+ local
aaa accounting network stop-only tacacs+
tacacs-server host 10.1.2.3
tacacs-server key goaway
interface serial 0
  ppp authentication default

In this example:

TACACS+ Daemon Configuration Example

The following example shows a sample configuration of the TACACS+ daemon. The precise syntax used by your TACACS+ daemon may be different than that included in this example.

                user = mci_customer1 {
                        chap = cleartext "some chap password"
                        service = ppp protocol = ip {
                    inacl#1="permit ip any any precedence immediate"
                    inacl#2="deny igrp 0.0.1.2 255.255.0.0 any"
                }
}


hometocprevnextglossaryfeedbacksearchhelp
Copyright 1989-1998 © Cisco Systems Inc.