TACACS+ brief introduction
1. Utilizes TCP 49.
2. Encrypts the entire packet.
3. Separates authentication, authorization and accounting.
Setting up Cisco ACS
The task here is to create a user group, user account and setup the network configuration to get it started.
The AAA Client IP address is actually the authenticator’s address which is the Cisco ASA I am using for this lab. The Cisco ASA is the authenticator that actually sends out authentication request to the supplicant on behalf of Cisco ACS. The shared secret is the secret between ACS and Cisco ASA.
There is a default group 0 which you can modify the settings, the Cisco ACS I am using is version 4.2 which is outdated and could not support the Cisco ASA software, it supports IOS though.
The newer version of ACS 5.2 should be able to configure the authorization for Cisco ASA command sets.
I actually did not check on the separate checkbox and only supply the Cisco Secure PAP password.
ciscoasa(config)# aaa-server group1 protocol tacacs+ ciscoasa(config-aaa-server-group)# accounting-mode single ciscoasa(config-aaa-server-group)# max-failed-attempts 5 ciscoasa(config-aaa-server-group)# reactivation-mode depletion ciscoasa(config-aaa-server-group)# exit ciscoasa(config)# aaa-server group1 (management) host 192.168.0.5 timeout 15 ciscoasa(config-aaa-server-host)# key cisco ciscoasa(config-aaa-server-host)# end ciscoasa# wr Building configuration... Cryptochecksum: e4bbb77c 4eaaed40 50da38c5 f127760f 4260 bytes copied in 1.130 secs (4260 bytes/sec) [OK] ciscoasa#
Test AAA server before applying
ciscoasa# test aaa-server authentication group1 host 192.168.0.5 Username: cyruslab Password: ********* INFO: Attempting Authentication test to IP address <192.168.0.5> (timeout: 17 seconds) INFO: Authentication Successful ciscoasa#
Apply the AAA group
I will test on the SSH authentication.
ciscoasa(config)# aaa authentication ssh console group1 ciscoasa(config)# wr Building configuration... Cryptochecksum: 419e8752 acf0a186 909b7a66 bba70548 4299 bytes copied in 1.130 secs (4299 bytes/sec) [OK] ciscoasa(config)#
Test the ssh
This test only tests the authentication. There are authorization and accounting which can be applied as well, however Cisco ACS 4.2 could not support the authorization of Cisco ASA software. An evaluation is available to download from the forum I checked, I downloaded the 90 days eval license however I could not locate the Cisco Secure Access Control Server 5.2 to be downloaded.