This document describes how to configure a Cisco router for dial authentication with the TACACS+ that runs on UNIX. TACACS+ does not offer as many features as the commercially available Cisco Secure ACS for Windows or Cisco Secure ACS for UNIX.
TACACS+ Software previously provided by Cisco Systems has been discontinued and is no longer supported by Cisco Systems.
Today, you can find many available TACACS+ freeware versions when you search for "TACACS+ freeware" on your favorite Internet search engine. Cisco does not specifically recommend any particular TACACS+ freeware implementation.
Cisco Secure Access Control Server (ACS) is available for purchase through regular Cisco sales and distribution channels worldwide. Cisco Secure ACS for Windows includes all the necessary components needed for an independent installation on a Microsoft Windows workstation. The Cisco Secure ACS Solution Engine is shipped with a pre-installed Cisco Secure ACS software license. Refer to the Cisco Secure ACS 4.0 Product Bulletin for product numbers. Visit the Cisco Ordering Home Page (registered customers only) to place an order.
Note: You need a CCO account with an associated Service Contract to get the 90-day trial version for Cisco Secure ACS for Windows (registered customers only) .
The router configuration in this document was developed on a router that runs Cisco IOS® Software Release 11.3.3. Cisco IOS Software Releases 12.0.5.T and later use group tacacs+ instead of tacacs+. Statements such as aaa authentication login default tacacs+ enable appear as aaa authentication login default group tacacs+ enable.
You can download the TACACS+ freeware and User's Guide by anonymous ftp to ftp-eng.cisco.com in the /pub/tacacs directory.
There are no specific requirements for this document.
This document is not restricted to specific software and hardware versions.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
In this section, you are presented with the information to configure the features described in this document.
Note: Use the Command Lookup Tool (registered customers only) to find additional information on the commands used in this document.
This document uses these configurations:
Router Configuration |
---|
! aaa new-model aaa authentication login default tacacs+ enable aaa authentication ppp default if-needed tacacs+ aaa authorization exec default tacacs+ if-authenticated aaa authorization commands 1 default tacacs+ if-authenticated aaa authorization commands 15 default tacacs+ if-authenticated aaa authorization network default tacacs+ enable password ww ! chat-script default "" at&fls0=1&h1&r2&c1&d2&b1e0q2 OK ! interface Ethernet0 ip address 10.6.1.200 255.255.255.0 ! !--- Challenge Handshake Authentication Protocol !--- (CHAP/PPP) authentication user. interface Async1 ip unnumbered Ethernet0 encapsulation ppp async mode dedicated peer default ip address pool async no cdp enable ppp authentication chap ! !--- Password Authentication Protocol (PAP/PPP) authentication user. interface Async2 ip unnumbered Ethernet0 encapsulation ppp async mode dedicated peer default ip address pool async no cdp enable ppp authentication pap ! !--- Authentication user with autocommand PPP. interface Async3 ip unnumbered Ethernet0 encapsulation ppp async mode interactive peer default ip address pool async no cdp enable ! ip local pool async 10.6.100.101 10.6.100.103 tacacs-server host 171.68.118.101 tacacs-server timeout 10 tacacs-server key cisco ! line 1 session-timeout 20 exec-timeout 120 0 autoselect during-login script startup default script reset default modem Dialin transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware ! line 2 session-timeout 20 exec-timeout 120 0 autoselect during-login script startup default script reset default modem Dialin transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware ! line 3 session-timeout 20 exec-timeout 120 0 autoselect during-login autoselect ppp script startup default script reset default modem Dialin autocommand ppp transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware ! end |
TACACS+ Configuration File on Freeware Server |
---|
!--- Handshake with router !--- AS needs 'tacacs-server key cisco'. key = "cisco" !--- User who can Telnet in to configure. user = admin { default service = permit login = cleartext "admin" } !--- CHAP/PPP authentication line 1 - !--- password must be cleartext per CHAP specifications. user = chapuser { chap = cleartext "chapuser" service = ppp protocol = ip { default attribute = permit } } !--- PPP/PAP authentication line 2. user = papuser { login = file /etc/passwd service = ppp protocol = ip { default attribute = permit } } !--- Authentication user line 3. user = authauto { login = file /etc/passwd service = ppp protocol = ip { default attribute = permit } } |
In this section, you are presented with the information to configure the features described in this document.
Complete these steps.
Note: The PC configuration can vary slightly based on the operating system version you use.
Select Start > Programs > Accessories > Dial-Up Networking to open the Dial-Up Networking window.
Choose Make New Connection from the Connections menu, and enter a name for your connection.
Enter your modem-specific information and click Configure.
On the General Properties page select the highest speed of your modem, but do not check the Only connect at this speed... box.
On the Configure/Connection Properties page, use 8 data bits, no parity, and 1 stop bit. Call preferences to use are Wait for dial tone before dialing and Cancel the call if not connected after 200 seconds.
On the Connection page, click Advanced. In the Advanced Connection Settings, select only Hardware Flow Control and Modulation Type Standard.
On the Configure/Options properties page, nothing should be checked except the box under Status Control.
Click OK and then click Next.
Enter the telephone number of the destination, click Next again, and then click Finish.
Once the new connection icon appears, right-click it and choose Properties > Server Type.
Choose PPP:WINDOWS 95, WINDOWS NT 3.5, Internet and do not check any Advanced options.
Check TCP/IP under Allowed Network Protocols.
Under TCP/IP Settings..., choose Server assigned IP address, Server assigned name server addresses, and Use default gateway on remote network and then click OK.
When the user double-clicks the icon to make the Connect To window display in order to dial, the user must fill in the User Name and Password fields, and then click Connect.
Configuration for User 3 (authentication user with autocommand PPP) is the same as for Users 1 and 2 with these exceptions:
On the Configure/Options properties page (step 6), check Bring up terminal window after dialing.
When the user double-clicks the icon to open the Connect To window to dial (Step 13), the user does not fill in the User name and Password fields. The user clicks Connect. After the connection to the router is made, the user types in the username and password in the black window that appears. After authentication, the user presses Continue (F7).
There is currently no verification procedure available for this configuration.
Refer to Important Information on Debug Commands before you issue debug commands.
terminal monitor—Displays debug command output and system error messages for the current terminal and session.
debug ppp negotiation—Displays PPP packets sent during PPP startup, where PPP options are negotiated.
debug ppp packet—Displays PPP packets that are sent and received. (This command displays low-level packet dumps.)
debug ppp chap—Displays information about whether a client passes authentication (for Cisco IOS Software Releases earlier than 11.2) .
debug aaa authentication—Displays information on authentication, authorization, and accounting (AAA)/TACACS+ authentication.
debug aaa authorization—Displays information on AAA/TACACS+ authorization.
Note: This assumes Cisco's TACACS+ Freeware server code.
tac_plus_executable -C config.file -d 16 tail -f /var/tmp/tac_plus.log
Revision | Publish Date | Comments |
---|---|---|
1.0 |
14-May-2009 |
Initial Release |