Search

Home >> Knowledgebase >> CCNA Security >> How to configure Cisco Routers and Switches with AAA Authorization and Accouting using TACACS+ protocol through IOS Commands

How to configure Cisco Routers and Switches with AAA Authorization and Accouting using TACACS+ protocol through IOS Commands

As we discussed in the previous lesson, Shell Profiles and Command Sets are used to create Authorization Policies. Authorization Policy is used to provide authorizations and permissions for network administrators.

Follow these steps to configure Cisco Routers and Switches with AAA Authorization and Accouting using TACACS+ protocol through IOS Commands"

Step 01 - First step in enabling AAA Authorization and Accounting is to enbale AAA in a Cisco Router or Switch using ""aaa new-model" command from the Global Configuration mode. Follow the below Cisco IOS commands to enable AAA globally in a Cisco Router or Switch.

OmniSecuR1#configure terminal
OmniSecuR1(config)#aaa new-model
OmniSecuR1(config)#exit
OmniSecuR1#

Step 02 - Configure your Cisco Routers and Switches with the IP address of the Cisco Secure ACS (AAA Server) for TACACS+ based Authentication, Authorization and Accounting.

OmniSecuR1#configure terminal
OmniSecuR1(config)#tacacs-server host 192.168.10.50
OmniSecuR1(config)#tacacs-server key OmniSecu123
OmniSecuR1(config)#exit
OmniSecuR1#

Step 03 - Create a "default" Method List for Login Authentication, using TACACS+ protocol and then Local database as shown below.

OmniSecuR1#configure terminal
OmniSecuR1(config)#aaa authentication login default group tacacs+ local
OmniSecuR1(config)#exit
OmniSecuR1#

Step 04 - Create default Authorization Method Lists for Shell Privilege and for Privilege Level 9 commands as shown below. 

OmniSecuR1#configure terminal
OmniSecuR1(config)#aaa authorization exec default group tacacs+
OmniSecuR1(config)#aaa authorization commands 9 default group tacacs+
OmniSecuR1(config)#aaa authorization config-commands
OmniSecuR1(config)#exit
OmniSecuR1#

Step 05 - Finally, create an Accounting Method List using TACACS+ protocol as shown below.

OmniSecuR1#configure terminal
OmniSecuR1#aaa accounting commands 9 default start-stop group tacacs+
OmniSecuR1(config)#exit
OmniSecuR1#

Once you complete the configuration steps, your Privilege Level 9 and commands are authorized using TACACS+ protocol and you can watch the AAA Accounting entries in Cisco Secure ACS as shown below.

Cisco Secure ACS AAA Accounting Entries

<< Cisco Secure ACS Shell Profiles and Command sets, How to configure Shell Profiles and Command sets in ACS
Troubleshooting AAA using Debug Commands >>
Related Tutorials