AAA: Working with TACACS+ and RADIUS

by Cyrus Lok on Sunday, December 13, 2009 at 8:43pm

I shall show you how to create a local user database within your router, this can be used as a backup in case TACACS+ or RADIUS or both are down and you are locked away from your router because there’s no other authentication method available.

cyrus(config)#username testaccount privilege ?
<0-15> User privilege level

0 is the user mode, 15 is the global configuration user mode, you gain full access and control of a router if your username is created as a privilege 15 account.

1 – 14 are customizable user accounts.

If you want to get your SDM to work with your router, you need to create an user account of privilege 15.

cyrus(config)#username testaccount privilege 15 ?
aaa AAA directive
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
one-time Specify that the username/password is valid for only one
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user’s number of inbound links
view Set view name

you can use password to configure your password for the privilege 15 account or you can use secret. If you use password, the password will be in clear text. If you use secret, your clear text password will be hashed with MD5 algorithm.

cyrus(config)#username testaccount privilege 15 secret ?
0 Specifies an UNENCRYPTED secret will follow
5 Specifies a HIDDEN secret will follow
LINE The UNENCRYPTED (cleartext) user secret

You can explicitly define your secret to be a clear text (before hashed) by using 0, or you can define your hashed password (the result of a MD5 hashed password) by using 5, do note if you use secret 5 then you need to provide the hashed password instead of the clear text password.
It is easier to just use this:

cyrus(config)#username testaccount privilege 15 secret test

TACACS+ is not free, you can download a 90 evaluation copy from CISCO using a CCO account.
The packet tracer is able to simulate the basic of TACACS but not all, TACACS unlike RADIUS has more control over authentication, authorisation and accounting. Each of this aspect can be a different instance, whereas a RADIUS login is inclusive of authentication and authorisation, if you need to only authenticate use RADIUS to save cost as this is a free service.

RADIUS: udp 1645 (default) or udp 1812

Setting up a router to talk with TACACS+
In this example, my TACACS+ server host ip address is

cyrus(config)#tacacs-server host <cr>

Now I have told my router how to find the TACACS+ server.

I need to tell my router the secret (key) to use for TACACS server

In this example I will use “cisco” as my key.

The tacacs server (CiscoSecure ACS server software) should have an identical secret with my router. Let’s assumed my tacacs server has been set up with secret “cisco”. Hence in order for my router to talk to TACACS+ server my router will have to use “cisco” as key

cyrus(config)#tacacs-server key cisco

Now the router got the information on how to find TACACS+ server as well as how to talk to TACACS+ server.

Now let’s move on to AAA to use TACACS+ as a primary authentication method.

From global configuration mode:

cyrus(config)#aaa new-model

Once this command is entered, all your old authentication method will be invalid, hence do not happily copy run start and reload your router, you will be locked away by the router!

We need to tell the router the method use for authentication:

cyrus(config)#aaa authentication login ?
WORD Named authentication list.
default The default authentication list.

Now we have two ways of telling router to authenticate, the first method is a user defined method, the second is the default method used by my router.

cyrus(config)#aaa authentication login LOGIN_ACS ?
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support

Ok I have created a user defined method, I named it as LOGIN_ACS, in this defined method I will include TACAS+ as my primary authentication method, and local as my secondary authentication method in case TACACS+ server is down due to other reason (it could be a DDOS…omg….)

I can also define TACACS+ as my primary, if this TACACS+ server fails, it can fall back to RADIUS, if RADIUS fails it can fall back to local username database.

cyrus(config)#aaa authentication login LOGIN_ACS group tacacs+ group radius local

This LOGIN_ACS methods contain 3 authentication method, it will look for TACAS+, if this fails, looks for RADIUS, if this fails look for the local username database as your last resort. There is another method however, look at this:

cyrus(config)#aaa authentication login LOGIN_ACS group tacacs+ group radius ?
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.

The none method, is to allow you to login the router without AUTHENTICATION, is this useful?

Some people use this as a method for console port, their argument is there is no need to authenticate console port at all, as anyone can do a password recovery once you connect your computer to your router using rollover cable.

Because an aaa new-model command is entered, all the old authentication method could not be used, you got to use aaa authentication commands to authenticate your console port and virtual terminal lines.

The above LOGIN_ACS method has only been created but not applied yet.

Let’s apply this method to our virtual terminal lines.

cyrus(config)#line vty 0 4

Because I have enabled aaa new-model, the old authentication method learned in CCNA cannot be used anymore

% Incomplete command.

cyrus(config-line)#login ?
authentication Authentication parameters.
ctrlc-disable Disable CONTROL-C during login.

cyrus(config-line)#login authentication ?
WORD Use an authentication list with this name.
default Use the default authentication list.

I will apply LOGIN_ACS into my vty 0 4 lines
cyrus(config-line)#login authentication LOGIN_ACS

I will create another method for no login, this will be applied to my console 0

cyrus(config)#aaa authentication login NO_LOGIN none

cyrus(config)#line console 0
cyrus(config-line)#login authentication NO_LOGIN


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s