TACACS+ Authentication

c t 
tacacs-server host 192.168.1.109 auth-port 1812 timeout 10 retransmit 3 key testing123 
login authentication tacacs
end

To enable the Strict TACACS+-Local mode, which refers to the authentication done through TACACS+ first and then local only if the TACACS+ server is no longer reachable, enter the following commands:

c t 
tacacs-server host 192.168.1.109 auth-port 1812 timeout 10 retransmit 3 key testing123 
login authentication tacacs local
end

Configuring TACACS+ Client for Remote Login Authentication

Configuration Guidelines

1. Configure TACACS+ server before configuring TACACS+ features on NAS.
2. To establish communication with the TACACS+ server, configure the server IP address and the secret key. The secret key must be specific to the client and the server for establishing communication between them.
3. Authentication method must be explicitly specified as TACACS.

Default Configurations

Configuration Steps

At NAS:

1. Execute the following commands to configure TACACS+ Client with server-specific parameters such as host, timeout, and key.
   Enter the Global Configuration mode.

Your Product# configure terminal

Configure the tacacs-server host.

Your Product(config)# tacacs-server host 13.0.0.20 timeout 6 key AccedianTacacs

Configure the router to use TACACS+ for authentication at the login prompt.

Your Product(config)# login authentication tacacs

Exit from the Global Configuration mode.

Your Product(config)# end

Configure the active server; this server is used for authentication and other servers are backup servers.

Your Product(config)# tacacs use-server address 13.0.0.20
Your Product(config)# tacacs-server host 2003::1 timeout 6 key Accedian

2. View the server-specific configurations and TACACS+ statistics by executing the following show command.

Your Product# show tacacs

Server : 1
Server address : 13.0.0.20
Address Type : IPV4
Single Connection : no
TCP port : 49
Timeout : 6
Secret Key :
Server : 2
Server address : 2003::1
Address Type : IPV6
Single Connection : no
TCP port : 4949
Timeout : 6
Secret Key :
Active Server address: 13.0.0.20
Authen. Starts sent : 0
Authen. Continues sent : 0
Authen. Enables sent : 0
Authen. Aborts sent : 0
Authen. Pass rvcd. : 0
Authen. Fails rcvd. : 0
Authen. Get User rcvd. : 0
Authen. Get Pass rcvd. : 0
Authen. Get Data rcvd. : 0
Authen. Errors rcvd. : 0
Authen. Follows rcvd. : 0
Authen. Restart rcvd. : 0
Authen. Sess. timeouts : 0
Author. Requests sent : 0
Author. Pass Add rcvd. : 0
Author. Pass Repl rcvd : 0
Author. Fails rcvd. : 0
Author. Errors rcvd. : 0
Author Follows rcvd. : 0
Author. Sess. timeouts : 0
Acct. start reqs. sent : 0
Acct. WD reqs. sent : 0
Acct. Stop reqs. sent : 0
Acct. Success rcvd. : 0

TACACS+
16/25 Project Accedian strictly restricted
Acct. Errors rcvd. : 0
Acct. Follows rcvd. : 0
Acct. Sess. timeouts : 0
Malformed Pkts. rcvd. : 0
Socket failures : 0
Connection failures : 0

3. View the system information by executing the following command.

Your Product# show system information

Hardware Version : 5.2.4
Firmware Version : 5.0.0.0
Switch Name : ISS
System Contact : info@accedian.com
System Location : ACCEDIAN
Logging Option : Console Logging
Login Authentication Mode : Remote
Config Save Status : Not Initiated
Remote Save Status : Not Initiated
Config Restore Status : Not Initiated

At TACACS-Server:

Tac_plus represents the TACACS+ Daemon. Build tac_plus in the Linux machine on which TACACS+ has been downloaded.

Tac_plus is configured through a single configuration file.

The following example illustrates a sample configuration of the TACACS+ daemon using the file usrcfg.

Include the following lines in the file usrcfg, to allow a user named iss with password admin123 and authentication type as PAP.

key = AccedianTacacs
user = iss {
pap = cleartext “admin123”
}

Run the daemon as root to start the TACACS+ server.

# ./tac_plus –C usrcfg

At Host:
Telnet the router from the host.

#telnet 20.0.0.1
Accedian Intelligent Switch Solution
ISS: login: iss
Password: admin123
Your Product>

The packet flow between the host, TACACS+ Client, and the TACACS+ Server is illustrated below.