AAA Authentication

Cisco Docs: Securing User Services Configuration>Authentication Authorization and Accounting

This is pretty straight forward, because on CCIE R&S exam you wont have to configure an actual ACS server. For starters be sure that the "aaa new-model" is configured.

Turn the TACACS+ authentication ON, and set LOCAL DB as backup:
(config)#aaa authentication login MYTACACS group tacacs+ local enable
*MYTACACS is the authentication policy. If you put "default" instead of specifying the policy, there is no need to assign the policy to VTY line later, it's a default policy on a device, from where ever you try to authenticate. In case you have a default policy, you need to ALSO define a NO_AUTH policy to apply where you dont want TACACS, like AUX and CONSOLE ports maybe.

Define the TACACS+ as a server, and set the Shared Secret:
(config)#tacacs-server host key cisco

Define the source interface from which you will authenticate:
(config)#ip tacacs source-interface Loopback0

Apply the authentication settings to the VTY line:
(config-line)#login authentication MYTACACS

#test aaa group tacacs+ USERNAME PASSWORD legacy

No comments:

Post a Comment

Most Popular Posts