Document ID: 13865
Introduction Prerequisites Requirements Components Used Conventions Authentication Add Authorization Add Accounting Test File Related Information
This document describes how to configure a Cisco router for authentication with the TACACS+ that runs on UNIX. TACACS+ does not offer as many features as thecommercially available Cisco Secure ACS for Windows or Cisco Secure ACS UNIX. TACACS+ software previously provided by Cisco Systems has been discontinued and is no longer supported by Cisco Systems. Today, you can find many available TACACS+ freeware versions when you search for "TACACS+ freeware" on your favorite Internet search engine. Cisco does not specifically recommend any particular TACACS+freeware implementation. Cisco Secure Access Control Server (ACS) is available for purchase through regular Cisco sales and distribution channels worldwide. Cisco Secure ACS for Windows includes all the necessary components needed for an independent installation on a Microsoft Windows workstation. The Cisco Secure ACS Solution Engine is shipped with a pre−installed Cisco Secure ACS software license.Visit the Cisco Ordering Home Page ( registered customers only) to place an order. Note: You need a CCO account with an associated Service Contract to get the 90−day trial version for Cisco Secure ACS for Windows. The router configuration in this document was developed on a router that runs Cisco IOS® Software Release 11.3.3. Cisco IOS Software Release 12.0.5.T and later uses group tacacs+ insteadof tacacs+, so statements such as aaa authentication login default tacacs+ enable appear as aaa authentication login default group tacacs+ enable. Refer to the Cisco IOS Software documentation for more complete information on router commands.
There are no specific requirements for this document.
The information in this document is based onCisco IOS Software Release 11.3.3 and Cisco IOS Software Release 12.0.5.T and later. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical TipsConventions for more information on document conventions.
Complete these steps: 1. Make sure you have compiled TACACS+ (TAC+) code on the UNIX server. The server configurations here assume you use the Cisco TAC+ server code. The router configurations should work whether or not the server code is Cisco server code. TAC+ must be run as root; su to root if necessary. 2. Copy thetest_file at the end of this document, place it on the TAC+ server, and name it test_file. Check to be sure the tac_plus_executable daemon starts with test_file. In this command, the −P option checks for compile errors but does not start the daemon:
tac_plus_executable −P −C test_file
You might see the contents of test_file scroll down the window, but you should not see messages such as cannotfind file, cleartext expected−−found cleartext, or unexpected }. If there are errors, check paths to test_file, re−check your typing, and re−test before you continue. 3. Start to configure TAC+ on the router. Enter enable mode and type configure terminal before the command set. This command syntax ensures that you are not locked out of the router initially, providing the tac_plus_executable is notrunning:
!−−− Turn on TAC+. aaa new−model enable password whatever !−−− These are lists of authentication methods. !−−− "linmethod", "vtymethod", "conmethod", and !−−− so on are names of lists, and the methods !−−− listed on the same lines are the methods !−−− in the order to be tried. As used here, if !−−− authentication fails due to the !−−− tac_plus_executable not being started, the !−−−...