Scribd
Upload
69 views3 pages

Security Workshop: Tacacs Lab

1. The document discusses configuring TACACS+ on a server to provide authentication, authorization, and accounting (AAA) services for Cisco devices. Key settings are configured in the tac_plus.conf file to define user groups and privileges. 2. The Cisco device is then configured to use the TACACS+ server for AAA with commands that specify the server address and shared secret key. 3. Accounting services are enabled, and the show accounting command can be used to verify TACACS+ accounting records.

Uploaded by

Triệu Hồng Biên
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
69 views3 pages

Security Workshop: Tacacs Lab

1. The document discusses configuring TACACS+ on a server to provide authentication, authorization, and accounting (AAA) services for Cisco devices. Key settings are configured in the tac_plus.conf file to define user groups and privileges. 2. The Cisco device is then configured to use the TACACS+ server for AAA with commands that specify the server address and shared secret key. 3. Accounting services are enabled, and the show accounting command can be used to verify TACACS+ accounting records.

Uploaded by

Triệu Hồng Biên
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Security workshop

Tacacs lab

getting tacacs configured

$ sudo apt-get install tacacs+


$ sudo groupadd -r cisco
$ sudo vi /etc/tacacs+/tac_plus.conf
1.0.1

change the following settings

1. we want to set the password for routers who want to use our service to
TacacsPassword
2. We also want to limit access for users based on groups. For this example
we will use settings in tac_plus.conf
# change this line
key = TacacsPassword
# ... then at the end of the file .... add:
group = netops {
default service = permit
login = file /etc/passwd
enable = file /etc/passwd
service = exec {
priv-lvl = 15
}
}
#
# "level 2" users who cannot "debug" or "config"
#
group = l2_tacacs_users {
default service = permit
login = file /etc/passwd
enable = file /etc/passwd
service = exec {
priv-lvl = 15
}
cmd = configure {
deny "."
}
cmd = debug {
deny "."
}
}
2

user = sysadm {
member = netops
}

1.0.2

restart tacacs_plus to pick up the new settings

$ sudo service tacacs_plus restart

2
aaa
aaa
aaa
aaa
aaa

getting a cisco device to talk to your tacas


new-model
authentication login default group tacacs+ local
authorization console
authorization exec default group tacacs+ if-authenticated
session-id common

aaa accounting delay-start


aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host 10.10.9.1


tacacs-server key TacacsPassword
2.0.3

Now you can verify accounting

Router#show accounting

You might also like