Table of Contents
Advertisement
!
aaa authentication enable default tacacs+ enable
aaa authentication enable LOCAL enable tacacs+
aaa authentication login default tacacs+ local
aaa authentication login LOCAL local tacacs+
aaa authorization exec default tacacs+ none
aaa authorization commands 1 default tacacs+ none
aaa authorization commands 15 default tacacs+ none
aaa accounting exec default start-stop tacacs+
aaa accounting commands 1 default start-stop tacacs+
aaa accounting commands 15 default start-stop tacacs+
Dell(conf)#
Dell(conf)#do show run tacacs+
!
tacacs-server key 7 d05206c308f4d35b
tacacs-server host 10.10.10.10 timeout 1
Dell(conf)#tacacs-server key angeline
Dell(conf)#%SYSTEM-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on
vty0 (10.11.9.209)
%SYSTEM-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password
authentication success on vty0 ( 10.11.9.209 )
%SYSTEM-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line
vty0 (10.11.9.209)
Dell(conf)#username angeline password angeline
Dell(conf)#%SYSTEM-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline
on vty0 (10.11.9.209)
%SYSTEM-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password
authentication success on vty0 ( 10.11.9.209 )
Monitoring TACACS+
To view information on TACACS+ transactions, use the following command.
•
View TACACS+ transactions to troubleshoot problems.
EXEC Privilege mode
debug tacacs+
TACACS+ Remote Authentication and
Authorization
The system takes the access class from the TACACS+ server. Access class is the class of service that restricts
Telnet access and packet sizes.
If you have configured remote authorization, the system ignores the access class you have configured for the
VTY line and gets this access class information from the TACACS+ server. The system must know the
username and password of the incoming user before it can fetch the access class from the server. A user,
therefore, at least sees the login prompt. If the access class denies the connection, the system closes the
Telnet session immediately.
The following example demonstrates how to configure the access-class from a TACACS+ server. This
configuration ignores the configured access-class on the VTY line. If you have configured a deny10 ACL on
the TACACS+ server, the system downloads it and applies it. If the user is found to be coming from the
10.0.0.0 subnet, the system also immediately closes the Telnet connection. Note, that no matter where the
user is coming from, they see the login prompt.
Security
998
Advertisement
Table of Contents
Troubleshooting
