06 - 11 - 2024

Cisco AAA (TACACS) configuration on: IOS/NXOS/XR

Below you can find configuration for the AAA authentication for follwing Cisco devices:

  • Cisco Nexus - NXOS
  • Cisco XR 9002 - IOS XR
  • Cisco Switches - IOS

Sessions like SSH will be authenicated against the remote credentials (TACACS server), but console will use local password for emergency access when required. The full AAA will be also activated, which means check credentials, check priviledges to execute commands and log the commands.

  1. Cisco NXOS
ip tacacs source-interface <INTERFACE>
tacacs-server host <TACACS_SERVER-1> key 0 <password> timeout 5 
tacacs-server host <TACACS_SERVER-2> key 0 <password> timeout 5 
aaa group server tacacs+ TACACS_SERVERS 
    server <TACACS_SERVER-1> 
    server <TACACS_SERVER-2> 
    use-vrf management
!
ip access-list VTY_ALLOWED_HOSTS_IN
  10 remark Access SSH from MY COMPUTER
  20 permit tcp 192.168.1.100/32 any eq 22
!
aaa authentication login default group TACACS_SERVERS 
aaa authentication login console local 
aaa authorization config-commands default group TACACS_SERVERS local 
aaa authorization commands default group TACACS_SERVERS local 
aaa accounting default group TACACS_SERVERS local 
aaa authentication login error-enable 
!
line console
  exec-timeout 5
  speed 38400
line vty
  access-class VTY_ALLOWED_HOSTS_IN in
!
  1. Cisco IOS XR
tacacs source-interface MgmtEth0/RSP0/CPU0/0 vrf mngt
tacacs-server host <TACACS_SERVER-1> port 49
 key <password>
!
tacacs-server host <TACACS_SERVER-2> port 49
 key <password>
!
aaa accounting exec default start-stop group TACACS_SERVERS none
aaa accounting system default start-stop group TACACS_SERVERS none
aaa accounting commands default start-stop group TACACS_SERVERS none
aaa group server tacacs+ TACACS_SERVERS
 vrf <VRF-NAME>
  server-private <TACACS_SERVER-1> port 49
  key <password>
 !
 server-private <TACACS_SERVER-2> port 49
  key <password>
 !
!
aaa authorization exec console local
aaa authorization exec default group TACACS_SERVERS local
aaa authorization commands console none
aaa authorization commands default group TACACS_SERVERS none
aaa authentication login console local
aaa authentication login default group TACACS_SERVERS local
!
ipv4 access-list VTY_ALLOWED_HOSTS_IN
 10 remark Access SSH from MY COMPUTER
 20 permit tcp host 192.168.1.100 any eq ssh
exit
!
line console
 authorization exec console
 authorization commands console
 login authentication console
 exec-timeout 5 0
 transport output none
exit
!
line default
 authorization exec default
 authorization commands default
 exec-timeout 30 0
 access-class ingress VTY_ALLOWED_HOSTS_IN
 transport input ssh
 transport output none
exit
!
vty-pool default 0 99 line-template default
  1. Cisco IOS
aaa new-model
aaa group server tacacs+ TACACS_SERVERS
 server <TACACS_SERVER-1>
 server <TACACS_SERVER-2>
 ip vrf forwarding <VRF_NAME>
 ip tacacs source-interface <INTERFACE>
!
tacacs-server host <TACACS_SERVER-1> timeout 5 key 0 <password>
tacacs-server host <TACACS_SERVER-2> timeout 5 key 0 <password>
!
aaa authentication password-prompt "LOCAL Password: "
aaa authentication username-prompt "LOCAL Username: "
aaa authentication login default group TACACS_SERVERS local
aaa authentication login CONSOLE local
aaa authentication enable default group TACACS_SERVERS none
aaa session-id common
!
aaa authorization config-commands
aaa authorization exec default group TACACS_SERVERS local 
aaa authorization commands 0 default group TACACS_SERVERS if-authenticated 
aaa authorization commands 1 default group TACACS_SERVERS if-authenticated 
aaa authorization commands 15 default group TACACS_SERVERS if-authenticated 
!
aaa accounting send stop-record authentication failure vrf <VRF_NAME>
aaa accounting exec default start-stop group TACACS_SERVERS
aaa accounting commands 0 default start-stop group TACACS_SERVERS
aaa accounting commands 1 default start-stop group TACACS_SERVERS
aaa accounting commands 15 default start-stop group TACACS_SERVERS
aaa accounting connection default start-stop group TACACS_SERVERS
aaa accounting system default start-stop group TACACS_SERVERS
!