Example: TACACS Authentication
The following example shows how to configure TACACS+ as the security protocol for PPP authentication:
aaa new-model
aaa authentication ppp test group tacacs+ local
tacacs-server host 10.1.2.3
tacacs-server key goaway
interface serial 0
ppp authentication chap pap test
The lines in the preceding sample configuration are defined as follows:
•
The aaa new-model command enables the AAA security services.
• The aaa authentication command defines a method list, “test,” to be used on serial interfaces running
PPP. The keyword group tacacs+ means that authentication will be done through TACACS+. If
TACACS+ returns an ERROR of some sort during authentication, the keyword local indicates that
authentication will be attempted using the local database on the network access server.
•
The tacacs-server host command identifies the TACACS+ daemon as having an IP address of 10.1.2.3.
The tacacs-server key command defines the shared encryption key to be “goaway.”
•
The interface command selects the line, and the ppp authentication command applies the test method
list to this line.
The following example shows how to configure TACACS+ as the security protocol for PPP authentication,
but instead of the “test” method list, the “default” method list is used.
aaa new-model
aaa authentication ppp default if-needed group tacacs+ local
tacacs-server host 10.1.2.3
tacacs-server key goaway
interface serial 0
ppp authentication chap default
The lines in the preceding sample configuration are defined as follows:
•
The aaa new-model command enables the AAA security services.
• The aaa authentication command defines a method list, “default,” to be used on serial interfaces running
PPP. The keyword default means that PPP authentication is applied by default to all interfaces. The
if-needed keyword means that if the user has already authenticated by going through the ASCII login
procedure, then PPP authentication is not necessary and can be skipped. If authentication is needed, the
keyword group tacacs+ means that authentication will be done through TACACS+. If TACACS+
returns an ERROR of some sort during authentication, the keyword local indicates that authentication
will be attempted using the local database on the network access server.
•
The tacacs-server host command identifies the TACACS+ daemon as having an IP address of 10.1.2.3.
The tacacs-server key command defines the shared encryption key to be “goaway.”
•
The interface command selects the line, and the ppp authentication command applies the default
method list to this line.
The following example shows how to create the same authentication algorithm for PAP, but it calls the method
list “MIS-access” instead of “default”:
aaa new-model
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
897
Configuration Examples for TACACS+
To Next Page
Loading...
Need help?
General
