The following are the steps involved to configure external authentication using TACACS+.
- Creating a username and password:
Router (config) # username ccnasecurity secret cisco
- Enabling AAA on the device:
Router (config) # aaa new-model
- Configuring the TACACS+ server. The next step is to configure the router to point to the TACACS+ server that has been created. This can be achieved by two methods. The first is to create a pointer on the router by specifying the IP address of the TACACS+ server and the shared key:
Router (config) # tacacs-server host 10.10.10.10 key secretkey
While the second is to create a group of TACACS+ servers and define the same:
Router (config) # aaa group server tacacs+ Authforlogin
Router (config-sg-tacacs+) #server 10.10.10.10
- Defining a method list for AAA. The next step is to define a method list for AAA logins using the following parameters:
Router (config) # aaa authentication login default group tacacs+ local
Where:
-
- The keyword aaa authentication login specifies that this is only used for login authentication
- The keyword default is used in case of a custom name or when only one default list can be created for each function of AAA
- The keyword group tacacs+ specifies the user who is going to use the configured TACACS+ servers
- The keyword local specifies the secondary authentication method in case the TACACS+ server is not reachable
- Attaching the configured AAA authentication on the line modes:
Router (config) # line console 0
Router (config-line) # login authentication default
Router (config) # line vty 0 15
Router (config-line) # login authentication default
The keyword default here substitutes the default method list available.