THE FASCINATING WORLD OF NETWORKING
OPTIMIZED FOR GOOGLE CHROME
Part II: AAA using TACACS+ and GNS3 example
Starting the tacacs service
After installing the TACACS.net TACACS+ server, it will start by default. You can confirm its installation in a couple of places:
1. Start > Control Panel > Administrative Tools > Services.
2. Using the context menu on the taskbar and selecting "Task Manager" or using the key combination Ctrl+Shift+Esc. You will find the executable ‘tacplus.exe’ under the Processes tab.
3. Running Netstat from the command line.
C:\>netstat -ab
Active Connections
Proto Local Address Foreign Address State PID
...
TCP mypc:49 mypc:0 LISTENING 2860
Note: if tacacs service fails is because something is wrong in your configuration. So be patient and re-edit the files of the Configuration folder.
You can use tacacs.net/tacverify to test if everything is ok:
You do not need to restart the service after making a configuration change. The server will automatically re-read the configuration files when they are edited.
1. You can start and stop services from the Services Management Console by going to: Start > Control Panel > Administrative Tools > Services.
2. You can also start and stop services from the command line by using the net stop/net start commands.
C:\>net stop tacacs.net
The TACACS.net service is stopping.
The TACACS.net service was stopped successfully.
C:\>net start tacacs.net
The TACACS.net service is starting.
The TACACS.net service was started successfully.
GNS3 Example
NOTE C1 is my computer connected to GNS3 using a loopback interface. Tacacs.net is installed and running on my computer.
AAA configuration on C_Core1
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authentication login BDLOCAL local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
!
tacacs-server host 10.0.2.2
tacacs-server key juanma
! This is the password you suplied during the tacacs.net installation.
!
username juanma privilege 15 secret juanma
! It's a Cisco Best Practise to configure an administrator account in case of the Tacacs Server is unreachable
line con 0
! Authentication by default: tacacs+ server or local (if the server is unreachable)
!
line vty 0 4
login authentication BDLOCAL
! Authentication will be local
!
interface FastEthernet2/0
description TFTP_SYSLOG_DHCP_SERVER
ip address 10.0.2.1 255.255.255.252
no shutdown
Now, it's the moment of truth. Let's authenticate a user against our TACACS+ server.
Remember we set up a test user with username: martin, password: troncoso earlier inside the authentication file. Let’s test if we can authenticate that user. Use test aaa group tacacs+ username password legacy command:
If we use this user to login:
Username: martin
Password:
C_Core_1#sh privilege
Current privilege level is 7
Let's see if we can execute configure terminal:
C_Core_1#conf t
^
% Invalid input detected at '^' marker.
C_Core_1#ping 1.1.1.1
The command 'ping 1.1.1.1 <cr>' is not authorized for user martin and client 10.0.2.1
In the configuration of the authorization file only telnet, show commands and enable are allowed for this user:
C_Core_1#telnet
Host:
% Unknown command or computer name, or unable to find computer address
C_Core_1#sh ?
aaa Show AAA values
aal2 Show commands for AAL2
access-expression List access expression
access-lists List access lists
adjacency Adjacent nodes
...
C_Core_1#enable
Password:
C_Core_1#sh privilege
Current privilege level is 15
C_Core_1#
Testing the local database
Finally I'm going to test if I can use the local database in case of Tacacs+ server is down.
C_Core_1(config)# interface FastEthernet2/0
C_Core_1(config-if)# shutdown
C_Core_1(config-if)# ctrl+Z
C_Core_1# exit
C_Core_1#test aaa group tacacs+ juantron juantron legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.
C_Core_1#test aaa group tacacs+ martin troncoso legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.
NOTE For a better understanding of Privilege levels, see:
http://juantron.wix.com/my-networking-online#!privilege-levels-and-aaa/cvzw
NOTE: Your e-mail will not be shown in the output. You can use an invalid e-mail, if you want.
Thank you for your co-operation in helping me to improve.