100 Chapter 3 Configuring CiscoSecure ACS and TACACS+

Todd(config)#aaa accounting exec start-stop tacacs+

The tacacs-server host command specifies the IP address of the host name of the remote TACACS+ server host.

Todd(config)#tacacs-server host 192.168.254.253 single

The tacacs-server key command specifies a shared secret text string used between the access server and the TACACS+ server. The access server and TACACS+ server use this text string to encrypt passwords and exchange responses.

Todd(config)#tacacs-server key d$y!tR%e

The next command sets AAA authentication at login to use the enable password for authentication.

Todd(config)#aaa authentication login no_tacacs enable

Choose the console 0 line.

Todd(config)#line console 0

Finally, specify that the AAA authentication list called no-tacacs is to be used on the console line.

Todd(config-line)#login authentication no_tacacs

Be sure to first enter the tacacs-servers IP address and key. Otherwise, you can easily lock yourself out of the router once the authorization takes over and for some reason can’t reach a server.

Using RADIUS

Unlike TACACS+, which is Cisco proprietary, RADIUS is not proprietary. It’s important that you understand the difference between the two remote servers.

Livingston Enterprises, now part of Lucent Technologies, developed RADIUS. Like TACACS+, it’s a security database protocol designed for use between an NAS and ACS, except that RADIUS is an industry standard that’s supported by many third-party devices. It uses UDP/IP for communications and supports authentication but only supports authentication through passwords. RADIUS can be used for AAA, but it treats authentication and authorization as the same process, and so it combines them—a big disadvantage over TACACS+.