Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Configuring TACACS server 1

Status
Not open for further replies.
Almin

Almin

Technical User
Mar 1, 2010
137
US
Hi All,

I was given a task at work to configure tacacs authentication server for our network devices (cisco routers and switches) but I have no idea where to start. I was given access to a 2008 Windows Server Enterprise edition R2 and told that I have to make it work. Does anyone have any documentation on how to do this on the box like this? I have the cisco stuff already pre-configured but there is no tacacs server in place to work with this.

Any help would be much appreciated

Thank you
 
Sort by date Sort by votes
You need to get a TACACS server.... CiscoSecure ACS is the actual software however there are alternative makers of TACACS server applications (google).
You say you already have the Cisco equipment configured for TACACS - however as you don't have a TACACS server how do you know this will work? It doesn't sound like you have done any testing?
TACACS can be very simple if you just want to use it for Authentication, however if you just want authentication then I would use the free RADIUS implementation in Windows Server (IAS or NPS depending on 2003/2008) as you already have that and it fits in easier with an AD network. TACACS offers much more so you should google what it does offer.

Andy
 
Upvote 0 Downvote
Andy,

Thanks for the reply. I have found a couple free versions of TACACS+ servers that might work. Since our budget is low for IT this year I probably would get turned down for requesting ACS. I have not applied any configuration changes on the cisco equipment but have it scripted out once I get a server in place. I am not a MS Server guy so I wont know anything about how to make this work with RADIUS and unfortinatly no one does know here.

Thanks again
 
Upvote 0 Downvote
Radius on MS (IAS or NPS) is easy. There are lots of guides out there and probably here on tek-tips. Its also free and part of the OS if you have windows server. There are some differences between Windows Standard & Enterprise in the amount of Radius clients you can have (Standard is limited to 50, Enterprise has no restrictions plus you can create a wildcard client so you don't have to add each router or switch).
I use IAS to authenticate Cisco Terminal Users (what you are looking for) as well as VPN users, 802.1x Wired & Wireless clients, CiscoWorks & some other Management apps that have a Radius authentication client.
The configuration on the Cisco kit is very similar to TACACS. The one big difference is Command Authorisation - with TACACS you can authorise each command and create lists of commands that users can/can't use (or at least you can with Cisco ACS). For this kind of behaviour with terminal access to IOS I assign a privilege level to the client on connection via a VSA, so SuperUsers get Privilege 15 and lesser users get 0. I do this using Windows Group membership and checking for this with the RADIUS policy.

Andy
 
Upvote 0 Downvote
Andy,

Im starting to thing that I should be looking into IAS as well. To be honest with you we currently only have half dozen people that are allowed to touch the network. Right now we are all using one username and password to meke any changes on any given cisco switch, router, firewall on about 300 + devices. We need something centralized so we have seperate usernames so we can tell who made the change to what device. I will look for some documentation how to set that up on the cisco devices and on the MS server. If you have any helpfull links that can help me could you please send me some. I will google to see i I can come up with anything.

Thank you
Almin
 
Upvote 0 Downvote
If you dont mind me asking how does your config look like for the cisco router. I wasnt able to find any documentation how that would be configured on the cisco side. Maybe I am not looking for the right thing.

Thank you very much!!!
 
Upvote 0 Downvote
This is the configuration from a 3560 switch - obviously I have changed the IP addresses and the keys:
Code: 
!
enable secret enable-secret
!
username admin password password
aaa new-model
!
radius-server attribute 32 include-in-access-req format %h
radius-server attribute 32 include-in-accounting-req format %h
radius-server dead-criteria tries 3
radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key RADIUS-KEY
radius-server host 1.1.1.2 auth-port 1812 acct-port 1813 key RADIUS-KEY
radius-server retry method reorder
!
aaa group server radius Radius-Servers
 server 1.1.1.1 auth-port 1812 acct-port 1813
 server 1.1.1.2 auth-port 1812 acct-port 1813
 ip radius source-interface Loopback0
!
aaa authentication login default group Radius-Servers local line
aaa authentication enable default group Radius-Servers enable
aaa authentication dot1x default group Radius-Servers
aaa authorization console
aaa authorization exec default group Radius-Servers if-authenticated
aaa authorization network default group Radius-Servers
aaa accounting dot1x default
 action-type start-stop
 group Radius-Servers
!
aaa accounting exec default
 action-type start-stop
 group Radius-Servers
!
aaa accounting network default
 action-type start-stop
 group Radius-Servers
!
aaa accounting system default
 action-type start-stop
 group Radius-Servers
!

On my VPN router I have some PPP Authentication & Network Authorisation stuff in there as well.

I have several policies on the IAS servers that check for different conditions to trigger the policy - i.e. NAS-Port-Type so I can differentiate between WiFi, wired 802.1x, VPN and Terminal access. For example my Wired 802.1x policy looks for NAS-Port-Type=Ethernet AND Service-Type=Framed AND Authentication-Type=EAP. My Cisco Terminal Access policy looks for Windows-Group=DOMAIN\Cisco Terminal User AND NAS-Port-Type=Async (modem) or Virtual AND Authentication-Type=PAP.
The policies also contain timeouts and AV pairs to get things like privilege levels pushed down (aaa authorisation exec).

HTH
Andy
 
Upvote 0 Downvote
Thanks for the base config!!!

So quick question... are your usernames and passwords configured on the IAS Server? Our version of Server does not have IAS but I heard it has been replaced with NSP. I just have to figure out where to start.
 
Upvote 0 Downvote
The usernames and passwords are in AD - IAS (or NPS - Network Policy Server, Windows 2008's RADIUS server) references the AD database. If it is a standalone server (i.e. not a domain member) then you can use local accounts, but they are just that - normal Windows User Accounts. My IAS server is a domain member so is configured to look in AD for users (well not actually configured it just does it by default).

Andy
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
233
MaioMaio
MaioMaio
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
290
Aquiles Vidal
Aquiles Vidal
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
342
suncit
suncit
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
240
antonio_dsanchez
antonio_dsanchez
jamescpp
  • Locked
  • Question
Windos OpenSSH server vulnerability
Replies
0
Views
277
jamescpp
jamescpp

Part and Inventory Search

Sponsor

Back
Top