Configuring RADIUS and TACACS+ with CSACS
Enabling TACACS+

Globally Enable AAA
The first steps in configuring the router are to enable TACACS+, specify the list of Cisco Secure ACS servers that will provide AAA services for the router, and configure the encryption key that is used to encrypt the data transfer between the router and the Cisco Secure ACS server.

The aaa new-model command forces the router to override every other authentication method previously configured for the router lines.  If an administrative Telnet or console session is lost while enabling AAA on a Cisco router, and no enable password is specified, the administrator may be locked out of the router.

NOTE:

When using the Cisco IOS aaa new-model command, always provide for an enable password login method. This guards against the risk of being locked out of router should the administrative session fail while enabling AAA, or if the TACACS+ server becomes unavailable.

At a minimum the following commands should be entered in the order shown:

Router(config)#aaa new-model
Router(config)#aaa authentication login default group tacacs+ enable

Specifying the enable authentication method enables the administrator to re-establish a Telnet or console session and use the enable password to access the router. If this is not done, and the administrator is locked out of the router, physical access to the router is required, with a minimum of having to perform a password recovery sequence. At worst, the entire configuration saved in NVRAM can be lost.

TACACS+ Configuration Commands
To begin global configuration, enter the commands shown in Figure , using the correct IP address of the Cisco Secure ACS servers and your own encryption key. In the example shown in Figure , the 2bor!2b@? global key is the encryption key that is shared between the router and the two Cisco Secure ACS servers. The encryption key should be kept secret in order to protect the privacy of passwords that are sent between the Cisco Secure ACS servers and the router during the authentication process.

The tacacs-server key command is used when two or more TACACS+ servers share the same key. Multiple Cisco Secure ACS servers can be specified, each with its own key, by using a tacacs-server host command for each server as follows:

router(config)# tacacs-server host 10.1.2.4 key keyforTACACS1
router(config)# tacacs-server host 10.1.2.5 key keyforTACACS2

AAA Configuration Commands
After enabling AAA globally on the access server, define the authentication method lists, and apply them to lines and interfaces. These authentication method lists are security profiles that indicate the protocol or login and authentication method used.

To define an authentication method list using the aaa authentication command, complete the following steps:

Step 1 Specify the dial-in protocol, such as ARAP, PPP, or NetWare Access Server Interface [NASI], or login authentication.
Step 2 Identify a list name or default. A list name can be any alphanumeric string. Different authentication methods can be assigned to different named lists. Only one dial-in protocol can be specified per authentication method list. However, multiple authentication method lists with each of these options can be created. Each list must have a different name.

Specify the authentication method, such as TACACS+, followed by local in case a TACACS+ server is not available on the network. Up to four multiple methods can be specified.

After defining these authentication method lists, apply them to one of the following:

  • Lines – tty lines or the console port for login and asynchronous lines, in most cases, for ARA
  • Interfaces – Interfaces, either synchronous or asynchronous, that are configured for PPP

Use the aaa authentication command in global configuration mode to enable AAA authentication processes .

The syntax for the aaa authentication login command is shown in Figure .