Exploring AAA and TACAS Configuration with Cisco Modeling Labs

I admit to not having accomplished an intensive examine. Nonetheless, I might nonetheless guess cash that AAA/RBAC providers are talked about extra often in Cisco’s certification blueprints than some other networking matter. From CCNA stage to Skilled stage, you’ll discover AAA, TACACS+, RADIUS, and RBAC listed within the examination subjects.

Under are some examples if you wish to see for your self:

• 200-301 CCNA
  • 2.8 Describe AP and WLC administration entry connections (Telnet, SSH, HTTP, HTTPS, console, and TACACS+/RADIUS)
  • 5.8 Differentiate ideas of authentication, authorization and accounting
• 350-401 ENCOR
  • 5.1 Configure and confirm gadget entry management
• 300-410 ENARSI
  • 3.1 Troubleshoot gadget safety utilizing IOS AAA (TACACS+, RADIUS, native database)
• 300-430 ENWLSI
  • 8.1 Implement gadget entry controls (together with RADIUS and TACACS+)
• 350-701 SCORE
  • 2.7 Configure AAA for entry to gadgets and networks akin to TACACS+ and RADIUS
• 300-715 SIZE
  • 7.0 Community Entry Machine Administration
• 350-601 DC COR
  • 5.xa Apply community|compute|storage safety: AAA and RBAC
• 300-615 DCIT
  • 5.xb Troubleshooting Community|Compute|Storage Safety: AAA and RBAC
• 350-501 ESPCOR
  • 1.6b Describe administration airplane safety: AAA and TACACS
• 300-540 SPCNI
  • 4.1e Implement infrastructure safety – TACACS

MY GOD. There are 10 completely different certifications, from Affiliate to Skilled, the place these subjects seem. You may additionally discover them on Skilled stage exams, such because the Enterprise infrastructure, Enterprise wi-fi, Safety, Service supplierand knowledge middle laboratories. (If anybody can discover one other matter with such in depth protection, please let me know within the feedback. I would like to know what I’ve missed to this point.)

Go to the Cisco Studying Community to view subjects for all Cisco certification exams. View examination subjects

Okay… it is undoubtedly vital… however what is AAA?

AAA is a crucial matter, however one which even probably the most skilled community engineers might not totally perceive. So earlier than we see it in motion, how a few fast refresher on what “triple A’s” imply?

Within the report “AAA in motion!” Within the comedian, Carl experiences your complete AAA course of:

• The primary “A” means Authentication. We see this represented when Carl is requested to confirm your identification earlier than you might be allowed to make a change to the community.
• The second “A” means Authorization. Even after the community verifies Carl’s identification, he has to examine if in case you have the fitting to make this transformationrelying on what rights you might have been granted on the community.
• And the third and final “A” means Accountingthat Carl sees in motion when the community registers the change makes the community.

TACACS comes into the image to help centralized administration of customers, roles and data (authentication, authorization and accounting). Whereas every community gadget might be configured regionally to deal with AAA, this doesn’t scale effectively for enterprises. A greater answer is for every community gadget to speak with a central “server” for these actions. TACACS is a protocol that servers and community gadgets use to speak and deal with every of the “A’s.” A “TACACS Server” is a software program software that helps the TACACS protocol.

Can we get to Exploration, already?!

Now that we perceive the essential function that AAA performs in a community (and that it’s a vital matter in lots of certifications), I wish to present you find out how to research and put together for it utilizing my favourite community simulation/virtualization instrument: Cisco. Modeling laboratories (CML). Since I most wish to share my exploration actions, I posted a few CML topology recordsdata on GitHub on the CML Neighborhood Repository on Cisco DevNet.

You will note that CML topology consists of just one IOL routerwhereas one other provides a Nexus 9000v swap to cowl knowledge middle platforms as effectively. So after studying this weblog put up, undoubtedly obtain the topologies and discover them your self.

Learn how to run a TACACS server in Cisco Modeling Labs

Earlier than you’ll be able to configure TACACS on a swap or router, it’s essential to have a TACACS server out there on the community. A typical TACACS server for a manufacturing community is Cisco ISEa whole “identification providers engine” for gadget administration, community entry, wi-fi safety, VPN entry and extra.

Cisco ISE is a crucial product and matter for community engineers. In reality, we now have a certification examination devoted to it. And when you can add Cisco ISE to a CML node library utilizing the node definition out there within the CML group, operating a full ISE server within the topology could seem overkill when the main focus is simply on configuring TACACS for gadget administration.

Luckily, there are light-weight options. My most popular possibility is the open supply software “tac_plus” which has been out there for a few years. Tac_plus is a fundamental Linux software that may be downloaded and put in on most Linux distributions. Whereas lively improvement of the mission seems to have stalled, it really works very effectively and continues to be an excellent possibility for instances like this.

In case you have a look at the picture of the CML topology, you will note “aaa-server” on the left aspect of the diagram. This can be a customary Ubuntu node from the CML reference platforms, with an preliminary configuration to put in tac_plus and configure it as a fundamental TACACS server. Be happy to evaluate the configuration within the topology file for full particulars, however listed here are the fundamentals of what I did to construct my TACACS server:

1. Set up necessities to obtain and set up the tac_plus software from the supply code.
2. Create the “tac_plus.conf” configuration file to specify the TACACS secret key, customers, and roles/privilege ranges for IOS and NX-OS platforms.
3. Create a file “tac_plus.service” to configure tac_plus as a service.
4. Obtain, extract, set up and begin tac_plus server.

With the set up and configuration of the aaa server portion of the bottom CML topology file, tac_plus will run and be prepared to simply accept requests as quickly because the lab is began.

cisco@aaa-server:~$ systemctl standing tac_plus
● tac_plus.service - tac_plus Service
     Loaded: loaded (/and so forth/systemd/system/tac_plus.service; enabled; vendor pres>
     Lively: lively (operating) since Mon 2024-10-14 19:16:37 UTC; 2s in the past
   Primary PID: 5982 (tac_plus)
      Duties: 1 (restrict: 2310)
     Reminiscence: 416.0K
        CPU: 2ms
     CGroup: /system.slice/tac_plus.service
             └─5982 /tacacs/sbin/tac_plus -G -C /and so forth/tacacs/tac_plus.conf -d 8 >

Oct 14 19:16:37 aaa-server systemd(1): Began tac_plus Service.
Oct 14 19:16:37 aaa-server tac_plus(5982): Studying config
Oct 14 19:16:37 aaa-server tac_plus(5982): Model F4.0.4.28 Initialized 1
Oct 14 19:16:37 aaa-server tac_plus(5982): tac_plus server F4.0.4.28 beginning
Oct 14 19:16:37 aaa-server tac_plus(5982): socket FD 4 AF 2
Oct 14 19:16:37 aaa-server tac_plus(5982): socket FD 5 AF 10
Oct 14 19:16:37 aaa-server tac_plus(5982): uid=0 euid=0 gid=0 egid=0 s=11063704>

Learn how to Allow AAA and TACACS on a Cisco IOS Router

With our TACACS server up and operating, we will now configure our IOS router to make use of it. Earlier than establishing the TACACS server on IOS, we’d like to ensure we do some fundamental “preliminary work” on our router. IOS has been round for years and has seen many modifications in the way in which authentication and authorization is dealt with.

So, the very first thing we need to do is be sure that AAA “new mannequin” is enabled on our gadget:

aaa new-model

Subsequent, we need to create an area consumer account that may entry and handle the gadget if the TACACS server turns into unreachable. You might also need to use an area account for serial/console connections.

username cisco privilege 15 secret cisco

On this command, the username and password are set to “cisco”. (Not the most secure possibility, however that is only a lab.) The “privilege 15” a part of the command signifies that this consumer shall be assigned an “administrator” function. Privilege 15 is the very best stage on an IOS gadget and permits the consumer to execute any and all instructions.

We’re able to configure and take a look at TACACS now. However first, I soar to the server console and begin monitoring the logs. This fashion I can examine and confirm the outcomes on each the server and shopper aspect.

# On aaa-server
journalctl -fu tac_plus

# Output
Oct 14 19:16:37 aaa-server systemd(1): Began tac_plus Service.
Oct 14 19:16:37 aaa-server tac_plus(5982): Studying config
Oct 14 19:16:37 aaa-server tac_plus(5982): Model F4.0.4.28 Initialized 1
Oct 14 19:16:37 aaa-server tac_plus(5982): tac_plus server F4.0.4.28 beginning
Oct 14 19:16:37 aaa-server tac_plus(5982): socket FD 4 AF 2
Oct 14 19:16:37 aaa-server tac_plus(5982): socket FD 5 AF 10
Oct 14 19:16:37 aaa-server tac_plus(5982): uid=0 euid=0 gid=0 egid=0 s=1106370448

Within the above command, the “-f” argument “tracks” the log messages as they arrive. And the “-u tac_plus” possibility limits the output to solely messages from the tac_plus service.

Glorious. Now, return to the router to configure the tacacs server and add it to a server group that the router can use for AAA service.

tacacs server aaa-server
 deal with ipv4 192.168.0.10
 key tacacs123

aaa group server tacacs+ AAA-TACACS
 server title aaa-server

I am at all times a fan of testing that one thing will (or in all probability will) work earlier than persevering with. Conveniently, IOS helps a “take a look at aaa” command that we will use.

take a look at aaa group AAA-TACACS iosadmin admin123 legacy

# Output 
Trying authentication take a look at to server-group AAA-TACACS utilizing tacacs+
Consumer was efficiently authenticated.

That appears nice! And I may see the logs on “aaa-server”.

Oct 14 19:55:16 aaa-server tac_plus(6473): join from 192.168.0.1 (192.168.0.1)
Oct 14 19:55:17 aaa-server tac_plus(6473): login question for 'iosadmin' port unknown-port from 192.168.0.1 accepted

With a powerful sense of confidence, let’s full the AAA configuration for the three “A’s”.

! Authentication 
aaa authentication login default group AAA-TACACS native

! Authorization 
aaa authorization exec default group AAA-TACACS native 
aaa authorization console

! Accounting
aaa accounting exec default start-stop group AAA-TACACS
aaa accounting instructions 1 default start-stop group AAA-TACACS
aaa accounting instructions 15 default start-stop group AAA-TACACS

Maintaining that sturdy sense of confidence, let’s have a look at if it really works. Finish/exit the router till it’s worthwhile to log in once more.

ios01 con0 is now out there

Press RETURN to get began.

Consumer Entry Verification

Username: 

Attempt to log in to the router utilizing the TACACS credentials for the IOS gadget.

Consumer Entry Verification

Username: iosadmin
Password: 

ios01#

Success! Verify the logs on the server and it’s best to see one thing like this:

Oct 14 20:05:03 aaa-server tac_plus(6492): login question for 'iosadmin' port tty0 from 192.168.0.1 accepted
Oct 14 20:05:03 aaa-server tac_plus(6493): join from 192.168.0.1 (192.168.0.1)
Oct 14 20:05:03 aaa-server tac_plus(6493): Begin authorization request
Oct 14 20:05:03 aaa-server tac_plus(6493): do_author: consumer="iosadmin"
Oct 14 20:05:03 aaa-server tac_plus(6493): consumer 'iosadmin' discovered
Oct 14 20:05:03 aaa-server tac_plus(6493): exec authorization request for iosadmin
Oct 14 20:05:03 aaa-server tac_plus(6493): exec is explicitly permitted by line 6
Oct 14 20:05:03 aaa-server tac_plus(6493): nas:service=shell (handed via)
Oct 14 20:05:03 aaa-server tac_plus(6493): nas:cmd* (handed via)
Oct 14 20:05:03 aaa-server tac_plus(6493): nas:absent, server:priv-lvl=15 -> add priv-lvl=15 (okay)
Oct 14 20:05:03 aaa-server tac_plus(6493): added 1 args
Oct 14 20:05:03 aaa-server tac_plus(6493): out_args(0) = service=shell enter copy discarded
Oct 14 20:05:03 aaa-server tac_plus(6493): out_args(1) = cmd* enter copy discarded
Oct 14 20:05:03 aaa-server tac_plus(6493): out_args(2) = priv-lvl=15 compacted to out_args(0)
Oct 14 20:05:03 aaa-server tac_plus(6493): 1 output args
Oct 14 20:05:03 aaa-server tac_plus(6493): authorization question for 'iosadmin' tty0 from 192.168.0.1 accepted
Oct 14 20:05:03 aaa-server tac_plus(6494): join from 192.168.0.1 (192.168.0.1)

I’ve coloured the server output to focus on the authentication and authorization logs individually, exhibiting that they’re actually two completely different phases.

However what in regards to the last “A” in accounting? Press Cntr-C to cease monitoring the service log and open the “accounting log”.

tail -f /var/log/tac_plus.acct 

# Output 
Oct 14 20:05:03 192.168.0.1     iosadmin        tty0    async   begin   task_id=12      timezone=UTC    service=shell

It is best to see a message just like the one above exhibiting the router session “beginning.” Return to the router and run “write mem” to avoid wasting the configuration modifications to reminiscence. A brand new log message ought to seem within the accounting log:

Oct 14 20:10:11 192.168.0.1     iosadmin        tty0    async   cease    task_id=13      timezone=UTC    service=shell   priv-lvl=15     cmd=write reminiscence 

And now, exit the router to sign off. A brand new message also needs to seem:

Oct 14 20:11:02 192.168.0.1     iosadmin        tty0    async   cease    task_id=13      timezone=UTC    service=shell   disc-cause=1    disc-cause-ext=9        pre-session-time=6 elapsed_time=89  stop_time=1728936662

AND BAM. The three “A”s have been validated. Glorious work!

Hopefully, this weblog has received you excited to finish your personal exploration of AAA and TACACS. And also you’re in luck: the CML topology recordsdata I discussed above (and can point out once more under) are there so that you can seize and use instantly. Inside them are lab guides that debate different vital AAA subjects, akin to utilizing native accounts on the console/serial line for IOS and configuring TACACS on Nexus gadgets. Nonetheless, I encourage you to do some impartial exploration and experiment with issues which can be No within the information:

What occurs in the event you enter the fallacious username/password? What occurs if the “tacacs key” configured is inaccurate? What occurs if the TACACS server can’t be reached?

Understanding the affect of issues and failures is important so {that a} community engineer can really feel comfy when one thing goes fallacious in “actual life.” It is significantly better to mess issues up within the lab than to attend for manufacturing to have issues. And there’s no higher instrument than Cisco Modeling Labs for that exploration.

My very own AAA exploration will proceed. On this weblog and lab, I solely scratched the floor of the subject and the information wanted for the completely different certifications. RADIUS servers can be utilized as an alternative of TACACS, and what about AAA for issues like VPN authentication, community entry with 802.1x, or different platforms like ASA firewalls?

There are numerous extra potentialities that I can discover in later weblog posts. Would you wish to see extra AAA from me? Let me know within the feedback.

See you subsequent time!

Assets

Enroll in Cisco U. | Be part of theCisco Studying Community.

Comply with Cisco Studying and Certifications

unknown |Rags| Fb|LinkedIn|instagram|YouTube

Put on #CiscoU and#CiscoCertto hitch the dialog.

Share: