Adding security to your Cisco routers and switches is important. AAA (Authentication, Authorization, Accounting) in general is incredibly important, especially in corporate environments. I’ve recently moved to the AAA protocol of TACACS+ (“Tac Plus”) for our switches after a few unauthorized changes and not knowing who did what. To get TACACS+, there are a few methods you can take. First, you can go the commercial route. Cisco has a TACACS+ server as do some other vendors. Or you can go the free route. Free obviously lacks features like commercial support, however I found a great TACACS+ server that runs on Windows. I have a dedicated virtual machine that is my TFTP server for performing upgrades of software so I decided to make it my TACACS+ server as well. The software is tacacs.net. It’s a great and well documented free piece of software built on .NET.
The logging of TACACS.NET is great. For example, here’s an accounting log. You can see the username (in this case, RANCID is running some backups as I had just added the TACACS+ commands to the config of switches), the date and time it was run and what commands were run.
So to configure the switches (and routers) there are two methods. IOS 12.X has one method to configure the TACACS+ server:
tacacs-server host <ACS-SERVER> key 7 <KEY>
If you run this command on IOS 15.X, you'll receive a warning that this is depreciated and will be removed soon. The command you need to change to is: Switch(config)#tacacs server acs-server Switch(config-server-tacacs)#address ipv4 192.168.1.1 Switch(config-server-tacacs)#key 0 <my-key unencrypted>
aaa group server tacacs+ TAC_PLUS server name acs-server-1 server name acs-server-2
And then just add your typical TACACS+ commands:
aaa new-model aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ enable aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 3 default start-stop group tacacs+ aaa accounting commands 5 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ ! aaa session-id common
Also, don’t forget to set your enable password and add a backup user in case the TACACS+ server is unreachable!