The Ultimate Guide to TACACS+ Server Implementation
A computer network consists of various routers, switches, and firewalls as the network becomes larger and larger. It is tough for an administrator to control access to the networking devices. Tacacs+ protocol can resolve this big issue. It centralizes all the login credentials in a single place. It simplifies our management work and secures our network. When a user wants to log into a networking device through GUI, telnet, or SSH via user credentials, then the device verifies the entered credentials from the tacacs+ server through an encrypted channel. And, the tacacs+ server verifies it through its local database, LDAP, or the radius server.
Similarly, when the user runs any command on the device, does the tacacs+ server verify whether the user has the authority to run those specific commands or not?
Moreover, tacacs+ has the responsibility to account for all the logs generated by the devices in the network, if any change has occurred!
Lab topology for Tacacs+ server
Assign IP address to a router.
Also, assign an IP address to the AAA server and other PCs in the range of 192.168.10.0/24:
Enable the AAA (authentication authorization and accounting) on the Router through the following command. The first command enables the AAA, while the 2nd command is used to authenticate users through the tacacs+ server.
Enable AAA
Configure the line console and vty authentication on the Router. Moreover, configure the privilege password on the Router.
Similarly Also, configure the AAA server’s basic configuration such as the client name as R1, because our Router R1 will act as a client of the AAA server. The client IP, a key, and at last select tacacs+ in service type. Create two users admin and user1 in it.
Specify the tacacs+ server to the Router R1. It means that Router R1 will authenticate its credentials from the AAA server (192.168.10.10).
Configure the AAA authorization on the router, which will specify authorization for the users.
Configure the user’s activity through the accounting process in the below command.
Now it’s the time to telnet a Router from any PC.
If you want to check the debugging process of a router. Apply the debug AAA authentication command on the Router.
Suppose if AAA server goes down, then what will happen? In this case, we shut down the AAA server interface on the switch.
Now go to the PC, and telnet to the router.
The authentication failed because the Router didn’t find an AAA server to authenticate the user’s entered credentials. This is a problem because the Router doesn’t authenticate itself and it also doesn’t log in through the line console. To protect ourselves from such problems, it is necessary to configure local authentication. It means, that if the AAA server is not accessible, then authenticate the user’s credentials from its local database. Also create a user for this purpose, which will be stored only in its local database.
Let’s try to access Router R1 through telnet from PC1.
Again enable the interface of a AAA server on the switch:
Let’s check it again to telnet Router R1. We will check whether it authenticates itself from the AAA server or its local database. We will try both user2, which is locally created, and at last, we will also try to telnet through admin user, which is created in the AAA server.
The screenshot demonstrates that user2 cannot successfully telnet into the router R1; due to which its attempt has failed. The user admin successfully telnet into the router. Why? Because user1 was created in the local database of a router, while user admin was created in the AAA server. As the AAA server is up, so router will check user2 in the AAA server not in its local database. It will look into its local database for the user2 if the AAA server is down. Similarly, we created an “admin” user in the AAA server, so it the router will look into the AAA server and so the user “admin” will be able to login to the router through telnet.
