2 minute read (245 words).
TACACS+ configuration for Cisco, Aruba ProCurve, Comware switches
Networking, Security
Operate a large estate of switch? Why not setup a TACACS server. User become accountable for network administration and that local password doesn’t need to be memorable, idea for when an administrator leaves and it doesn’t get updated.
Cisco:
conf t
aaa new-model
ip tacacs source-interface loopback 0
tacacs server srv-tacacs-1
address ipv4 192.168.1.11
key 7
secret
exit
tacacs server srv-tacacs-2
address ipv4 192.168.1.12
key 7 secret
exit
aaa group server tacacs+ srv-tacacs
server name srv-tacacs-1
server name srv-tacacs-2
exit
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authentication enable default group tacacs+
Cisco Nexus:
conf t
feature tacacs+
tacacs-server host 192.168.1.11 key 0 "secret"
tacacs-server host 192.168.1.12 key 0 "secret"
aaa group server tacacs+ srv-tacacs
server 192.168.1.11
server 192.168.1.12
source-interface loopback0
exit
aaa authentication login default group srv-tacacs
aaa authentication login console local
aaa accounting default group srv-tacacs
aaa authentication login error-enable
tacacs-server directed-request
Aruba, HP ProCurve
tacacs-server host 192.168.1.11 key secret
tacacs-server host 192.168.1.12 key secret
tacacs-server timeout 5
aaa authentication login privilege-mode
aaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs local
HPE, Comware
hwtacacs scheme srv-tacacs
primary authentication 192.168.1.11
primary authorization 192.168.1.11
primary accounting 192.168.1.11
secondary authentication 192.168.1.12
secondary authorization 192.168.1.12
secondary accounting 192.168.1.12
key authentication simple secret
key authorization simple secret
key accounting simple secret
user-name-format without-domain
quit
domain williambargent.co.uk
authentication login hwtacacs-scheme srv-tacacs local
authorization login hwtacacs-scheme srv-tacacs local
accounting login hwtacacs-scheme srv-tacacs
accounting command hwtacacs-scheme srv-tacacs
authorization command hwtacacs-scheme srv-tacacs
quit
domain default enable williambargent.co.uk
line vty 0 63
authentication-mode scheme
user-role network-operator
command accounting
command authorization
- Networking, Security
- aruba, authentication, cisco, comware, procurve, switches
- 10 March, 2020