Chapter 9 Configuring Switch-Based Authentication

Controlling Switch Access with TACACS+

•Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page 9-16

•Starting TACACS+ Accounting, page 9-17

Default TACACS+ Configuration

TACACS+ and AAA are disabled by default.

To prevent a lapse in security, you cannot configure TACACS+ through a network management application. When enabled, TACACS+ can authenticate users accessing the switch through the CLI.

Note Although TACACS+ configuration is performed through the CLI, the TACACS+ server authenticates HTTP connections that have been configured with a privilege level of 15.

Identifying the TACACS+ Server Host and Setting the Authentication Key

You can configure the switch to use a single server or AAA server groups to group existing server hosts for authentication. You can group servers to select a subset of the configured server hosts and use them for a particular service. The server group is used with a global server-host list and contains the list of IP addresses of the selected server hosts.

Beginning in privileged EXEC mode, follow these steps to identify the IP host or host maintaining TACACS+ server and optionally set the encryption key:

 

 

Command

Purpose

 

 

Step 1

 

 

 

 

configure terminal

Enter global configuration mode.

 

 

Step 2

 

 

 

 

tacacs-server host hostname [port

Identify the IP host or hosts maintaining a TACACS+ server. Enter this

 

 

 

integer] [timeout integer] [key string]

command multiple times to create a list of preferred hosts. The software

 

 

 

 

searches for hosts in the order in which you specify them.

 

 

 

 

• For hostname, specify the name or IP address of the host.

 

 

 

 

• (Optional) For port integer, specify a server port number. The default

 

 

 

 

is port 49. The range is 1 to 65535.

 

 

 

 

• (Optional) For timeout integer, specify a time in seconds the switch

 

 

 

 

waits for a response from the daemon before it times out and declares

 

 

 

 

an error. The default is 5 seconds. The range is 1 to 1000 seconds.

 

 

 

 

• (Optional) For key string, specify the encryption key for encrypting

 

 

 

 

and decrypting all traffic between the switch and the TACACS+

 

 

 

 

daemon. You must configure the same key on the TACACS+ daemon

 

 

 

 

for encryption to be successful.

 

 

Step 3

 

 

 

 

aaa new-model

Enable AAA.

 

 

Step 4

 

 

 

 

aaa group server tacacs+ group-name

(Optional) Define the AAA server-group with a group name.

 

 

 

 

This command puts the switch in a server group subconfiguration mode.

 

 

Step 5

 

 

 

 

server ip-address

(Optional) Associate a particular TACACS+ server with the defined server

 

 

 

 

group. Repeat this step for each TACACS+ server in the AAA server

 

 

 

 

group.

 

 

 

 

Each server in the group must be previously defined in Step 2.

 

 

 

 

 

 

 

 

 

 

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

OL-9775-02

 

 

9-13

 

 

 

 

 

Page 215
Image 215
Cisco Systems 3750E manual Default TACACS+ Configuration, Tacacs-server host hostname port, Aaa new-model