Solved

Cisco TACACS

Posted on 2012-03-29
12
1,012 Views
Last Modified: 2012-04-04
Hi,

If i have a TACACS configuration on my router with this if there is an local username and password is also configured.

Now i have two questions :-

1) If the TACACS is enabled, but still is it possible for someone to login through the console or the local username password and which will not be tracked on the TACACS.

2) I think there is a config type in the TACACS if that was configured no one is allowed to login to the device untill the communication of the device will not gets failed with the TACACS.


Please correct if my understanding is wrong.
0
Comment
Question by:network-guru
  • 6
  • 5
12 Comments
 

Author Comment

by:network-guru
Comment Utility
with this if someone has logged in to the device with the help of Raritan console and made some changes. Are those logs are not tracked somewhere in Raritan itself.

with this in that case then whats the use of configuring the TACACS username and password whenany one can login to the device by using the Raritan and make the change with the local username and password.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
--> 1) If the TACACS is enabled, but still is it possible for someone to login through the console or the local username password and which will not be tracked on the TACACS.

Depends on what you mean by "TACACS is enabled."  Cisco devices typically have 3 sets of configuration parameters dealing with loggin in.  They are:

line console
line vty 0 4
line vty 5 15

You set logon authentication for each of these individually and they do NOT need to be the same.  You could have "login authentication local" for 1 or 2 of the above and have TACACS for the other.

--> 2) I think there is a config type in the TACACS if that was configured no one is allowed to login to the device untill the communication of the device will not gets failed with the TACACS.

Not 100% sure what you mean here, so I am guessing.  When you setup aaa authentication you can have multiple authentication methods.  Example:

     aaa authentication login UseTacacs group tacacs+ local

     line vty 0 4
     login authentication UseTacacs

If you try and telnet/ssh and you get assigned to vty 0-4, the device will first try to use one of the tacacs servers defined in the group tacacs+.  If it can NOT communicate with any of those servers, it will then use local security.

Does this help?
0
 

Author Comment

by:network-guru
Comment Utility
Hi Giltjr,

Thanks for the above explaination which is really a very helpful.

Please if you could explain the purpose of the below config which is in between each lines below :-

----------------------------------------------------------------------------------
aaa new-model
!
!
aaa group server tacacs+ ABC-GRP
 server 10.1.1.1
 server 10.1.1.2
 ip tacacs source-interface Loopback0
!
aaa authentication login LOCAL local-case
aaa authentication login ABC-GRP group ABC-GRP local-case

----------------------------------------------------------------------------------
aaa authorization console
aaa authorization config-commands
aaa authorization exec LOCAL local
aaa authorization exec ABC-GRP group ABC-GRP local
aaa authorization commands 0 ABC-GRP group ABC-GRP local
aaa authorization commands 1 ABC-GRP group ABC-GRP local
aaa authorization commands 15 ABC-GRP group ABC-GRP local

----------------------------------------------------------------------------------

aaa accounting exec ABC-GRP start-stop broadcast group ABC-GRP
aaa accounting commands 0 ABC-GRP start-stop broadcast group ABC-GRP
aaa accounting commands 1 ABC-GRP start-stop broadcast group ABC-GRP
aaa accounting commands 15 ABC-GRP start-stop broadcast group ABC-GRP
aaa accounting connection ABC-GRP start-stop broadcast group ABC-GRP
aaa accounting system default start-stop broadcast group ABC-GRP

----------------------------------------------------------------------------------

line con 0
 authorization exec LOCAL
 logging synchronous
 login authentication LOCAL

----------------------------------------------------------------------------------

line vty 0 4
 access-class ACCESS in
 privilege level 15
 authorization exec ABC-GRP
 accounting commands 0 ABC-GRP
 accounting commands 1 ABC-GRP
 accounting commands 15 ABC-GRP
 accounting exec ABC-GRP
 logging synchronous
 login authentication ABC-GRP
 transport input ssh

----------------------------------------------------------------------------------

line vty 5 15
 access-class ACCESS in
 privilege level 15
 authorization exec ABC-GRP
 accounting commands 0 ABC-GRP
 accounting commands 1 ABC-GRP
 accounting commands 15 ABC-GRP
 accounting exec ABC-GRP
 logging synchronous
 login authentication ABC-GRP
 transport input ssh

----------------------------------------------------------------------------------
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
I think I got everything.  There are a lot of repeated things, so I only covered them once.  If missed anything, just ask away.


This sets up up group ABC-GRP for aaa services and it uses the protocol tacacs+ and you have two servers 10.1.1.1 and .2.

     aaa group server tacacs+ ABC-GRP
     server 10.1.1.1
     server 10.1.1.2


This says that when using the local user-id database the user-id is case sensitive:

     aaa authentication login LOCAL local-case


Uses the aaa group ABC-GRP, if it can not contact the server(s) in that group then use the local user-id database with user-id being case senstive:

     aaa authentication login ABC-GRP group ABC-GRP local-case

This says to use the group ABC-GRP to see if you are authorized to execute commands:

      authorization exec ABC-GRP

This says to do accounting for commands that are level # (0, 1 and 15) to the servers in group ABC-GRP.

     accounting commands # ABC-GRP


This says to use the local data base for user-id/password validation:

     login authentication LOCAL
0
 

Author Comment

by:network-guru
Comment Utility
Thanks a lot for your valuable inputs.
But what i think is there are two groups created on the TACACS server.

aaa authentication login LOCAL local-case
aaa authentication login ABC-GRP group ABC-GRP local-case


One is LOCAL and other is ABC-GRP

If you have a look of the config pasted above line console , line vty 0 4 and line vty 5 15
the gtoup ABC-GRP was given the right to login but the console access was given to the group for those users in the TACACS who are the members of LOCAL group.

Please correct if my understanding is wrong. Otherwise what would be the reason of not calling the same group ABC-GRP in the line console as well.
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Do you have any user-ids in the local database?  I would expect you to have them based on your aaa config.

You have "aaa authentication login LOCAL local-case", from the description below (taken from Cisco's doc) "LOCAL" is the list-name of authentication methods to use.  You do not have the list LOCAL anyplace that I can see.  You also did not specify "group groupname".  You did specify "local-case" which mean you are using the local-userid database with case sensitivity enabled.

Now in the case of "aaa authentication login ABC-GRP group ABC-GRP local-case" the ABC-GRP both refer back to your statement "aaa group server tacacs+ ABC-GRP".  If those servers can not be contacted then it will use "local-case".

I am fairly sure that is how it works.


From the Cisco description:


aaa authentication login

To set AAA authentication at login, enter the aaa authentication login global configuration command. To disable AAA authentication, enter the no form of this command.

aaa authentication login {default | list-name} group group-name

Syntax Description

default
      

Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.

list-name
      

Character string used to name the list of authentication methods activated when a user logs in.

method
      

AAA authentication method that uses at least one of the keywords described in .

group
      

Group of servers.

group-name
      

Character string used to name the group of servers for authentication when a user logs in.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Here is a link that does a better job of describing aaa setup than I can do:

http://packetlife.net/blog/2010/sep/27/basic-aaa-configuration-ios/
0
 

Author Comment

by:network-guru
Comment Utility
Thanks for the above reply.

Yes, there are local user id configured but there is no local user id with the name of LOCAL actually its not LOCAL its you can say XYZ_LOCAL and which is not configed as a local username and password.

If this means XYZ_LOCAL local-case that to use the local configured username and password and if there is no any group of users in XYZ_LOCAL as well on the TACACS server then it makes sense.

But i am very thankful to you for explaining me it like this.
0
 

Author Comment

by:network-guru
Comment Utility
But i am unable to understand what is the requirement to calling the XYZ_LOCAL in the console config but even if its not been called. the local user id will work if the TACACS will get failed.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
Comment Utility
-> there is no local user id with the name of LOCAL

That is not the name of the user-id, "LOCAL" just means to use the the local user-id database for authentication.

line con 0
 authorization exec LOCAL
 logging synchronous
 login authentication LOCAL

Means that ONLY user-id's in the local data base can logon via the console port.
0
 

Author Closing Comment

by:network-guru
Comment Utility
The response which i received was great from GILTJR.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Introduction This article explores the design of a cache system that can improve the performance of a web site or web application.  The assumption is that the web site has many more “read” operations than “write” operations (this is commonly the ca…
Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now