Setup a Cisco Switch

with AAA Server

CS580 Winter 2005
Presented by:
Chris Orona
Kevork Tamamian
Xuong Tsan

What is AAA Server?

AAA ( Authentication, Authorization,
Accounting)
For example:
RADIUS (Remote Authentication DialIn User Service)
TACACS (Terminal Access Controller
Access Control System)

TACACS

Specified in RFC 1492

Uses port 49 (TCP or UDP)
XTACACS TACACS extensions created by Cisco

TACACS server on a switch

switch(config)#
switch(config)#
switch(config)#
switch(config)#

login tacacs
tacacs-server
tacacs-server
tacacs-server

host 192.20.22.7
key "I am cool"
attempts 3

switch(config)# tacacs-server timeout 5

TACACS server cont..

TACACS Verification
switch# show tacacs
Enable use-tacacs:Enabled
Login tacacs:Enabled
tacacs-server last-resort:password
tacacs-server hosts:192.20.27.7
tacacs-server key:I am cool
tacacs-server login attempts:3
tacacs-server timeout:5 seconds
tacacs-server directed-request:Disabled

TACACS+
An new version of TACACS, however
less compatible
Uses a separate server for AAA

TACACS+ packet
4 bits

4 bits

8 bits

8 bits

8 bits

Major

Minor

Packet type

Sequence No.

Flags

Session ID (4 bytes)
Length (4 bytes)

Major/Minor version
Packet Type
Authentication, Authorization, or Accounting

Flags
Whether encryption is set

TACACS+ Traffic

Authentication
Enables the switch/router to ask for passwords on a
remote server
Set up passwords for login and enable access
Backup with enable password in case server is down

aaa
aaa
aaa

new-model
authentication login default tacacs+ enable
authentication enable default tacacs+ enable

Authorization
Request authorization for events. Obtaining a
shell, configuring, or certain commands
Again, have a backup command in case the
server is down.

aaa authorization exec default tacacs+ ifauthenticated

Accounting
Log access and attempted access to a remote
server
Can log inbound and/or outbound connections
Types of accounting

start-stop: records without waiting for the server

stop-only: only records when action is completed
wait-start: waits for log to be sent before allowing action

aaa accounting exec default start-stop tacacs+

aaa accounting connection default start-stop tacacs+

ClearBox RADIUS and

TACACS+ Server 2.4.5

Available for Windows

Can authenticate against a Windows domain or
SQL database (Access, SQL server, ODBC, etc.)
$399, or free trial version with limited password
functionality.

Reference Links
http://www.cisco.com/en/US/products/hw/switches/ps637/produ
cts_configuration_guide_chapter09186a008007da46.html#15411
http://www.cisco.com/en/US/tech/tk59/technologies_configuratio
n_example09186a0080093c7c.shtml
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09
186a0080094e99.shtml
http://www.informit.com/articles/article.asp?
p=170744&seqNum=2
http://www.cisco.com/pcgi-bin/search/search.pl?
searchPhrase=cisco+router+1601+support+tacacs&x=0&y=0&nv
=Search+All+Cisco.com
%23%23cisco.com&nv=Technical+Support%26Documentation
%23%23cisco.com
%23TSD&language=en&country=US&accessLevel=Guest&siteToSe
arch=cisco.com
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/produ
cts_configuration_guide_chapter09186a00800ca7a7.html#16099
Clearbox server: http://www.xperiencetech.com/