Numerous network and security devices have become a part of the Cisco product family through many acquisitions. Due to this fact, you might encounter a few different operating systems across the Cisco platforms. Because the operating systems differ, so does the configuration of AAA across different platforms. To begin configuring devices for AAA, you need at least one entry for every network device in your network if you want ACS to communicate. Likewise, you need to configure those network devices to communicate with ACS. To add an AAA client to the ACS database and enable communications using the TACACS+ or RADIUS protocols, you use the following steps. After you have completed the following steps for an AAA client, you can then configure that AAA client using the appropriate commands to communicate as well.
Upon completion of this configuration, you now have a number of devices defined in the ACS device as AAA clients. The next step would be to configure the AAA client devices, as discussed in the following subsections. Cisco IOS RoutersTo configure a Cisco router for AAA, follow these steps:
You can use the no form of the command in the previous step sequence to delete the specified name or address. This is seen in Example 9-1. Example 9-1. Removing a TACACS Serverno tacacs-server host hostname Note that the single-connection switch in the configuration command is optional and specifies that the router keeps a single open connection for confirmation from an AAA/TACACS+ server. This command fails if ACS is not running. You can optionally define a port number using the port tag. This option then overrides the default port 49. If the port is changed on the router, it needs to be changed on the server as well. You also have the capability of specifying a timeout on the router using the timeout tag. This overrides the timeout only for this server. The key that you can optionally define is an authentication and encryption key. This must match the key used by the TACACS+ daemon in ACS that you define in the AAA client configuration. Specifying this key overrides the key set by the global command tacacs-server key for this server only. This command was first available in Cisco IOS Release 10.0. The Cisco IOS Software searches for hosts in the order in which you specify them. Therefore, you have the ability to define multiple TACACS+ servers. You use only the single-connection, port, timeout, and key options when running an AAA/TACACS+ server. In RADIUS, there is no connection, so these options are not available. Also, because some of the parameters of the tacacs-server host command can be modified to override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by creating a unique policy on each device in your network. As seen in Example 9-2, each tag changes all aspects of the TACACS server 10.1.1.1. Example 9-2. Defining Additional TACACS+ Options tacacs-server host 10.1.1.1 single-connection port 789 timeout 5 key mykey When you use RADIUS, both sets of ports, 1645/1646 and 1812/1813, are in use on ACS. Also, if you use the host name in the command statement, you need to have DNS resolution enabled. To add AAA to a Cisco IOS router using the RADIUS protocol, use the following configuration command in global configuration mode:
Cisco IOS SwitchesTo add an AAA server to a Cisco IOS switch using TACACS+, add the following configuration commands in global configuration mode: tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string] or
Note that this command and arguments are similar to the router configurations. To add an AAA server to a Cisco IOS switch using RADIUS, add the following configuration commands in global configuration mode:
Note again that this command and arguments are similar to the router configurations. Cisco Set-Based SwitchesTo add an AAA server to a Cisco set-based switch using TACACS+, add the following commands into enable mode: set tacacs server ip_address primary set tacacs key key set tacacs attempts n set tacacs timeout n To add an AAA server to a Cisco set-based switch using RADIUS, add the following commands into enable mode: set radius server ip_address primary set radius key key set radius attempts n set radius timeout n Cisco PIX FirewallsTo add an AAA server to a Cisco PIX Firewall using TACACS+, add the following commands in configuration mode: aaa-server MYACS protocol TACACS+ aaa-server MYACS (interface_name) host 10.1.1.1 secretkey To add an AAA server to a Cisco PIX Firewall using RADIUS, add the following commands in configuration mode: aaa-server MYACS protocol RADIUS aaa-server MYACS (interface_name) host 10.1.1.1 secretkey Cisco 3000 Series VPN ConcentratorsTo add an AAA server to a Cisco 3000 series virtual private network (VPN) concentrator for administrator authentication using the TACACS+ protocol, follow these steps:
NOTE You can use TACACS+ only for administrative authentication on the 3000 series concentrators. This discussion is beyond the scope of this book. For user authentication, use a RADIUS server. To add an AAA server to a Cisco 3000 series VPN concentrator for user authentication using the RADIUS protocol, follow these steps:
Cisco Wireless Access PointsTo add an AAA server to a Cisco Wireless access point, follow these steps:
Although many other devices in the Cisco product line support TACACS+ or RADIUS, it is beyond the scope of this book to give explicit examples of each device. The idea in mind is more toward giving an understanding of some common network devices and their configurations. For more information on configuring TACACS+ or RADIUS on a device that is not listed here, please see the Cisco website. |