|
|
This chapter describes the commands used to configure TACACS+. TACACS+ provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled only through AAA commands.
 |
Note Refer to the "Authentication Commands" chapter, the "Authorization Commands" chapter, and the "Accounting Commands" chapter for information about commands specific to AAA. |
For information on how to configure TACACS+, refer to the "Configuring TACACS+" chapter in the Cisco IOS Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the "TACACS+ Configuration Examples" section located at the end of the "Configuring TACACS+" chapter in the Cisco IOS Security Configuration Guide.
|
Note TACACS and Extended TACACS commands are included in Cisco IOS Release 12.1 software for backward compatibility with earlier Cisco IOS releases; however, these commands are no longer supported and are not documented for this release. |
Cisco recommends using only the TACACS+ security protocol with Cisco IOS Release 12.1 software. For a description of TACACS and Extended TACACS commands, refer to the "TACACS, Extended TACACS, and TACACS+ Commands" chapter in Cisco IOS Release 12.0 Security Command Reference at Cisco Connection Online (CCO).
Table 13 identifies Cisco IOS software commands available to the different versions of TACACS. Although TACACS+ is enabled through AAA and uses commands specific to AAA, there are some commands that are common to TACACS, Extended TACACS, and TACACS+. TACACS and Extended TACACS commands that are not common to TACACS+ are not documented in this release.
| Cisco IOS Command | TACACS | Extended TACACS | TACACS+ |
|---|---|---|---|
aaa accounting1 | - | - | Yes |
aaa authentication arap1 | - | - | Yes |
aaa authentication enable default1 | - | - | Yes |
aaa authentication login1 | - | - | Yes |
aaa authentication ppp1 | - | - | Yes |
aaa authorization1 | - | - | Yes |
aaa group server tacacs+ |
|
| Yes |
aaa new-model1 | - | - | Yes |
arap authentication1 | - | - | Yes |
arap use-tacacs | Yes | Yes | - |
enable last-resort | Yes | Yes | - |
enable use-tacacs | Yes | Yes | - |
ip tacacs source-interface | Yes | Yes | Yes |
login authentication1 | - | - | Yes |
login tacacs | Yes | Yes | - |
ppp authentication1 | Yes | Yes | Yes |
ppp use-tacacs1 | Yes | Yes | Yes |
server | - | - | Yes |
tacacs-server attempts | Yes | - | - |
tacacs-server authenticate | Yes | Yes | - |
tacacs-server directed-request | Yes | Yes | Yes |
tacacs-server extended | - | Yes | - |
tacacs-server host | Yes | Yes | Yes |
tacacs-server key | - | - | Yes |
tacacs-server last-resort | Yes | Yes | - |
tacacs-server notify | Yes | Yes | - |
tacacs-server optional-passwords | Yes | Yes | - |
tacacs-server retransmit | Yes | Yes | - |
tacacs-server timeout | Yes | Yes | - |
To group different server hosts into distinct lists and distinct methods, use the aaa group server command in global configuration mode. To remove a server group from the configuration list, enter the no form of this command.
aaa group server tacacs+ group-name
Syntax Description
tacacs+ Use only the TACACS+ server hosts. group-name Character string used to name the group of servers.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
12.0(5)T This command was introduced.
Release
Modification
Usage Guidelines
A server group is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A server group is used in conjunction with a global server host list. The server group lists the IP addresses of the selected server hosts.
Examples
The following example shows the configuration of an AAA group server named tacgroup1 that comprises three member servers:
aaa group server tacacs+ tacgroup1server 1.1.1.1 server 2.2.2.2 server 3.3.3.3
Related Commands
aaa accounting Enables AAA accounting of requested services for billing or security. aaa authentication login Enables AAA accounting of requested services for billing or security purposes. aaa authorization Sets parameters that restrict network access to a user. aaa new-model Enables the AAA access control model. tacacs-server host Specifies a TACACS+ host.
Command
Description
Syntax Description
subinterface-name Name of the interface that TACACS+ uses for all of its outgoing packets.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
10.0 This command was introduced.
Release
Modification
Usage Guidelines
Use this command to set a subinterface's IP address for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.
This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address.
The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.
Examples
The following example makes TACACS+ use the IP address of subinterface s2 for all outgoing TACACS+ packets:
ip tacacs source-interface s2
Related Commands
ip radius source-interface Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets. ip telnet source-interface Allows a user to select an address of an interface as the source address for Telnet connections. ip tftp source-interface Allows a user to select the interface whose address will be used as the source address for TFTP connections.
Command
Description
To configure the IP address of the TACACS+ server for the group server, use the server command in group server configuration mode. To remove the IP address of the RADIUS server, enter the no form of this command.
server ip-address
Syntax Description
ip-address IP address of the selected server.
Defaults
No default behavior or values.
Command Modes
TACACS+ group server configuration
Command History
12.0(5)T This command was introduced.
Release
Modification
Usage Guidelines
Enter the server command to specify the IP address of the TACACS+ server. Also configure a matching tacacs-server host entry in the global list. If there is no response from the first host entry, the next host entry is tried.
Examples
The following example shows server host entries configured for the RADIUS server:
aaa new-model aaa authentication ppp default group g1 aaa group server tacacs+ g1server 1.0.0.1 server 2.0.0.1
tacacs-server host 1.0.0.1 tacacs-server host 2.0.0.1
Related Commands
aaa new-model Enables the AAA access control model. aaa server group Groups different server hosts into distinct lists and distinct methods. tacacs-server host Specifies a RADIUS server host.
Command
Description
Syntax Description
restricted (Optional) Restrict queries to directed request servers only. no-truncate (Optional) Do not truncate the @hostname from the username.
Defaults
Enabled
Command Modes
Global configuration
Command History
11.1 This command was introduced.
Release
Modification
Usage Guidelines
This command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with the directed-request feature enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server.
Disabling tacacs-server directed-request causes the whole string, both before and after the "@" symbol, to be sent to the default TACACS+ server. When the directed-request feature is disabled, the router queries the list of servers, starting with the first one in the list, sending the whole string, and accepting the first response that it gets from the server. The tacacs-server directed-request command is useful for sites that have developed their own TACACS+ server software that parses the whole string and makes decisions based on it.
With tacacs-server directed-request enabled, only configured TACACS+ servers can be specified by the user after the "@" symbol. If the host name specified by the user does not match the IP address of a TACACS+ server configured by the administrator, the user input is rejected.
Use no tacacs-server directed-request to disable the ability of the user to choose between configured TACACS+ servers and to cause the entire string to be passed to the default server.
Examples
The following example enables tacacs-server directed-request so that the entire user input is passed to the default TACACS+ server:
no tacacs-server directed-request
To specify a TACACS+ host, use the tacacs-server host command in global configuration mode. Use the no form of this command to delete the specified name or address.
tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]
Syntax Description
hostname Name or IP address of the host. single-connection (Optional) Specify that the router maintain a single open connection for confirmation from a AAA/TACACS+ server (CiscoSecure Release 1.0.1 or later). This command contains no autodetect and fails if the specified host is not running a CiscoSecure daemon. port (Optional) Specify a server port number. This option overrides the default, which is port 49. integer (Optional) Port number of the server. Valid port numbers range from 1 to 65535. timeout (Optional) Specify a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only. integer (Optional) Integer value, in seconds, of the timeout interval. key (Optional) Specify an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only. string (Optional) Character string specifying authentication and encryption key.
Defaults
No TACACS+ host is specified.
Command Modes
Global configuration
Command History
10.0 This command was introduced.
Release
Modification
Usage Guidelines
You can use multiple tacacs-server host commands to specify additional hosts. The Cisco IOS software searches for hosts in the order in which you specify them. Use the single-connection, port, timeout, and key options only when running a AAA/TACACS+ server.
Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by uniquely configuring individual routers.
Examples
The following example specifies a TACACS+ host named Sea_Change:
tacacs-server host Sea_Change
The following example specifies that, for AAA confirmation, the router consults the TACACS+ server host named Sea_Cure on port number 51. The timeout value for requests on this connection is three seconds; the encryption key is a_secret.
tacacs-server host Sea_Cure single-connection port 51 timeout 3 key a_secret
Related Commands
ppp Starts an asynchronous connection using PPP. slip Starts a serial connection to a remote host using SLIP. tacacs-server key Sets the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon.
Command
Description
Syntax Description
key Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
11.1 This command was introduced.
Release
Modification
Usage Guidelines
After enabling AAA with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command.
The key entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and at the end of the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Examples
The following example sets the authentication and encryption key to "dare to go":
tacacs-server key dare to go
Related Commands
aaa new-model Enables the AAA access control model. tacacs-server host Specifies a TACACS+ host.
Command
Description
Posted: Wed Sep 13 15:54:22 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.