This article should really be titled “How to set up TACACS+ for Active Directory authentication with a Cisco Secure ACS 4.2 server” but hey, I only have so much to work with. Please keep in mind that this article assumes you already have knowledge about how to work with the Cisco IOS CLI, how to manage and handle user accounts in Windows Active Directory, that you have an ACS appliance connected to the network, and your IOS device is able to communicate with the ACS server.
One special thing about our infrastructure is that we are using a Cisco Secure ACS server as our TACACS+ authentication server. We could have used a basic Windows Server 2008 RADUIS server (or even change the ACS server mode to RADIUS), but since we already had the ACS server up and running and we are not using it for anything else, it made sense for us to only set it up for TACACS+. If you don’t have an ACS server and want to use a Windows RADIUS server instead, see Brian Desmond’s Blog for instructions.
So, in starting this journey I had several pieces of equipment available:
- 1x Cisco Secure ACS v4.2 appliance (hereby referred to as the ACS server)
- 1x Windows Server 2003 Server that is a member of a domain (a.k.a. member server)
- 1x Cisco Catalyst 3750X-48P Switch with IOS 12.2
- Install and configure the Cisco Secure ACS Remote Agent software on the domain member server. Information on how to do this is located on Cisco’s website here.
- Add the Remote Agent under Network Configuration in the ACS server.
- Set up Active Directory as an External User Database in the ACS server.
- Add the Cisco IOS device as an authorized AAA client under Network Configuration in the ACS server. Read Jose Leitao’s blog on how to do this here.
- Set up user accounts in the ACS server for access to log into Cisco IOS devices.
- Configure TACACS and AAA authentication on the Cisco IOS device. Again, read Jose Leitao’s blog on how to do this here. I recommend testing logging into your IOS device before you decide to save this configuration (WRITE MEM \ COPY START RUN) because if there is a problem, you can just restart the device without keeping the changes. Here is a sample configuration for your device from #:
tacacs-server key <KEY FROM TACACS SERVER>
tacacs-server host <IP ADDRESS OF TACACS SERVER>
aaa authentication login default local group tacacs+
aaa authentication login no-tacacs local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated local
aaa authorization commands 1 default if-authenticated
aaa authorization commands 15 default local group tacacs+
aaa session-id common
- At logon, the IOS device will first check its local database for the user ID and password. If the user ID is not in the local database then IOS will then attempt to authenticate against the TACACS server.
- If the TACACS server is unavailable, the local account database on the network device will be used.
- You will need to create a ‘failsafe’ local user account on the ACS server in case there is a problem with Active Directory. See the next bullet point for the reason…
- If the ACS server is up and running but Active Directory is not working, a local ACS user account is the only thing that can be used. The reason why this is true is because IOS can still communicate with the ACS server. Just know that you need to use a local ACS user account if there is an Active Directory problem. And no, there is no workaround for this.
- ACS supports two different types of user accounts – “Local” and “External User Database”. When you create a user account in ACS, you must define if it is going to be local to the ACS server, or if the user account needs to authenticate against an external user database (in this case our external user database is MS Active Directory).
- With this configuration, when a user account successfully logs in they are automatically placed into ENABLE mode immediately. This reduces the need to retype passwords over and over again. This type of configuration is very close to a “single-sign-on” user experience for network devices.
- As long at the network device is able to communicate with the ACS server, authentication will ALWAYS occur with the ACS server.
- TACACS server authentication is a two way street. You need to add the network device as an AAA client in the ACS server, as well as configure the network device’s TACACS configuration.