This is a work in progress.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
There are only 3 default privilege levels on a cisco device.
0 – no access
1 – user
15 – enable
There are a few differences between Radius and Tacacs. One is command authorization. With Radius, you can grant privlege levels. With Tacacs you can grant privlege levels or specific commands. Tacacs also provides command accounting. Radius only tells you if someone logged in or not. At least as far as I know.
Radius is mainly used for regular user auth, like authing to an appliance that doesn’t support active directory. Tacacs is great for RBAC on network gear.
Tacacs uses TCP port 49
Radius uses UDP
Legacy version:
1645 for authentication protocol
1646 for accounting protocol
New version:
1812 for authentication protocol
1813 for accounting protocol
Radius uses AV pair attributes. No need to memorize them. They are easily found in Cisco’s documentation.
ACS_user_guide
Example configs.
!!R1 TACACS
!!First enable it.
aaa new-model
!!Create a default local auth
aaa authentication login default local
!!Then create a Tacacs auth group
aaa authentication login TACACS_AUTH group tacacs+ local
!!Create a tacacs authorization.
aaa authorization exec TACACS_EXEC_AUTHOR group tacacs+
!
!!Set the source interface, host and key.
ip tacacs source-interface Loopback0
tacacs-server host 10.0.0.200
tacacs-server key cisco
!
!!Enable author of config commands
aaa authorization config-commands
!
!!Create Tacacs Exec Accounting
aaa accounting exec TACACS_ACCT_EXEC start-stop group tacacs+
!
!!Tacacs Command Accounting:
aaa accounting commands 0 TACACS_ACCT_CMDS start-stop group tacacs+
aaa accounting commands 1 TACACS_ACCT_CMDS start-stop group tacacs+
aaa accounting commands 15 TACACS_ACCT_CMDS start-stop group tacacs+
!
!!Tacacs Command Authorization
aaa authorization commands 0 TACACS_CMDS_AUTHOR group tacacs+
aaa authorization commands 1 TACACS_CMDS_AUTHOR group tacacs+
aaa authorization commands 15 TACACS_CMDS_AUTHOR group tacacs+
!
!!Apply the aaa lists to the telnet lines
line vty 0 181
authorization exec TACACS_EXEC_AUTHOR
login authentication TACACS_AUTH
accounting commands 0 TACACS_ACCT_CMDS
accounting commands 1 TACACS_ACCT_CMDS
accounting commands 15 TACACS_ACCT_CMDS
accounting exec TACACS_ACCT_EXEC
authorization commands 0 TACACS_CMDS_AUTHOR
authorization commands 1 TACACS_CMDS_AUTHOR
authorization commands 15 TACACS_CMDS_AUTHOR
!!Verification
debug aaa authorization
debug aaa accounting
debug tacacs authorization
debug tacacs accounting
!!R2 RADIUS
aaa new-model
aaa authentication login default local
aaa authentication login RADIUS_AUTH group radius local
!!Radius can do the exec authorization but cannot do the command authorization.
aaa authorization exec RADIUS_EXEC_AUTHOR group radius
!
ip radius source-interface Loopback0
radius-server host 10.0.0.200
radius-server key cisco
!
!!Radius can do the exec accounting but cannot do the command accounting.
aaa accounting exec RADIUS_ACCT_EXEC start-stop group radius
!
line vty 0 181
authorization exec RADIUS_EXEC_AUTHOR
login authentication RADIUS_AUTH
authorization exec RADIUS_EXEC_AUTHOR
accounting exec RADIUS_ACCT_EXEC
0 Comments