10.2 Basic Security
10.2.4 Using AAA and Cisco secure
Although usernames and passwords can be configured directly on the network device, this configuration does not scale well. It is generally recommended that security be handled at a centralized location. This is commonly done using authentication, authorization, and accounting (AAA), which allows all facets of user security to be defined on a central server. The TACACS+ protocol provides detailed accounting information and administrative control over the authentication and authorization process. Cisco Secure will provide both AAA and TACACS+ services for network devices as well as remote access.

To configure basic authentication with TACACS+ on a switch, perform the following steps:

  1. Make sure there is a back door into the switch if the server is down by issuing the command: set authentication login local enable
  2. Enable TACACS authentication by issuing the command: set authentication login tacacs enable
  3. Define the server by issuing the command: set tacacs server 10.1.1.10
  4. Define the server key.  This is optional with TACACS+ - it causes the switch-to-server data to be encrypted.  If used, it must agree with the server: set tacacs key cisco4me
Lab Activity
  In this lab activity, you will learn how to use Cisco Secure ACS security for controlled user access.