2 minute read (245 words).

TACACS+ configuration for Cisco, Aruba ProCurve, Comware switches


Networking, Security

Operate a large estate of switch? Why not setup a TACACS server. User become accountable for network administration and that local password doesn’t need to be memorable, idea for when an administrator leaves and it doesn’t get updated.

Cisco:

conf t
aaa new-model
ip tacacs source-interface loopback 0
tacacs server srv-tacacs-1
  address ipv4 192.168.1.11
  key 7 
secret
  exit
tacacs server srv-tacacs-2
  address ipv4 192.168.1.12
  key 7 secret
  exit
aaa group server tacacs+ srv-tacacs
  server name srv-tacacs-1
  server name srv-tacacs-2
  exit
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authentication enable default group tacacs+

Cisco Nexus:

conf t
feature tacacs+

tacacs-server host 192.168.1.11 key 0 "secret"
tacacs-server host 192.168.1.12 key 0 "secret"

aaa group server tacacs+ srv-tacacs
    server 192.168.1.11
    server 192.168.1.12
    source-interface loopback0
    exit

aaa authentication login default group srv-tacacs
aaa authentication login console local
aaa accounting default group srv-tacacs
aaa authentication login error-enable
tacacs-server directed-request

Aruba, HP ProCurve

tacacs-server host 192.168.1.11 key secret
tacacs-server host 192.168.1.12 key secret
tacacs-server timeout 5
aaa authentication login privilege-mode
aaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs local

HPE, Comware

hwtacacs scheme srv-tacacs
  primary authentication 192.168.1.11
  primary authorization 192.168.1.11
  primary accounting 192.168.1.11
  secondary authentication 192.168.1.12
  secondary authorization 192.168.1.12
  secondary accounting 192.168.1.12
  key authentication simple secret
  key authorization simple secret

  key accounting simple secret

  user-name-format without-domain
  quit
domain williambargent.co.uk
  authentication login hwtacacs-scheme srv-tacacs local
  authorization login hwtacacs-scheme srv-tacacs local
  accounting login hwtacacs-scheme srv-tacacs
  accounting command hwtacacs-scheme srv-tacacs
  authorization command hwtacacs-scheme srv-tacacs
  quit
domain default enable williambargent.co.uk
line vty 0 63
  authentication-mode scheme
  user-role network-operator
  command accounting
  command authorization


Share via Twitter LinkedIn Facebook Email