SAMPLE CONFIG ON ROUTER TO BE AUTHENTICATED
Step One: Create Username and Password
username cisco privilege 15 password 0 cisco123
Step Two: Configure the Authentication, Authorization, and Accounting parameters
aaa authentication login default group tacacs+ local enable
aaa authorization exec EXMODE group tacacs+
aaa session-id common
Step Three: Configure your tacacs+ server hostname, address and key (shared key on ACS)
tacacs server acs101
address ipv4 192.168.137.50
NB: The shared key string must match in order to be authenticated
Step Four: Attach the Authorization method “EXMODE” that was configured in the aaa
authorization configuration to “line vty” for SSH and Telnet.
line vty 0 4
authorization exec EXMODE
transport input all
The configuration below specifies the steps in configuring the ACS Server.
a. Create a group where we will group device under the same administration
Network Resources – Network Device Groups – Device Type
- Creating Network Device Group
b. Now we will put devices under the network device group we created above
Network Resources > Network Devices and AAA Clients > Create
Under the “Device Type” we will select the network group (Dublin Network) that we created
- Adding a router to the Network Device Group
c. Now we will create the Identity Group to be authenticated by the ACS Server
Users and Identity Stores > Identity Groups > Create
- Creating the identity group (A User group)
d. We then create the users to be authenticated by the ACS Server
Users and Identity Stores > Internal Identity Stores > Create
- Creating users that will be authenticated on the ACS Server
e. Creating Access Policies (How Users will be connected)
Access Policies > Access Services > Default Device Admin > Authorization
When creating an Access Policy we will have to set the conditions that a user must meet
before they will be granted access to connect.
In the example below, we will set two conditions which a user profile should meet. ie
“Identity Group” – (Who they are) and satisfy the “Device Type” – (What they are trying to
connect to) before access is granted.
- Creating Access Policies
Now we can test to verify if our user profile can be authenticated by the ACS Server. We will use the command below:
R1#test aaa group tacacs+ cisco cisco123 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated
We can clearly see from above that the ACS Server has authenticated our username cisco and password cisco123
Troubleshooting Authentication Failure
For easy troubleshooting, go to the Monitoring and Reports and click on “Launch Monitoring
and Reports”. After I completed this lab, I could not authenticate so I set to figure out
what the problem was, so the following are the steps I took:
1. Go to Monitoring and Reports
- Accessing Monitoring and Reports on ACS
2. Click on “Launch Monitoring and Report Viewer” (This will take you to Cisco Secure ACS
3. On sidebar, on the left click on “Reports”. (This will open a new window)
- Accessing Detailed Reports for troubleshooting
4. Under AAA Protocols, click on “TACACS (or RADIUS) Authentication” depending on what you’re
authenticating with. Specify a time range which you want your report to cover and click “Run”.
- Accessing TACACS Authentication Logs
5. Report will now be displayed and you would be able to view the reason why you are not able to authenticate.
- Viewing TACACS Authentication Logs
6. You click on the logs for a detailed description.
From the log detail, I was able to deduce the reason behind the authentication failure
- Mismatched Shared Secret (I had not set the shared key under the tacacs server configuration on the router)
Viewing the logged into detail helped me to rectify the anomaly.
- Details from “Other Attributes”, “Authentication Result” and “Steps” helped to troubleshoot the problem