Im struggling with setting up TACACS on my device.
I have tried various configurations:
tacplus 0 svr “X.X.X.88”
tacplus 0 key “X”
tacplus 0 authent ON
tacplus 0 author ON
tacplus 0 localauth ON
tacplus 0 acct ON
Result:
SSH & Local: No
SSH & TACACS: Yes & Full Access
HTTPS & Local: No
HTTPS & TACACS: No
tacplus 0 svr “X.X.X.88”
tacplus 0 key “X”
tacplus 0 authent ON
tacplus 0 author ON
tacplus 0 localauth ON
Result:
SSH & Local: No
SSH & TACACS: Yes & Full Access
HTTPS & Local: No
HTTPS & TACACS: No
tacplus 0 svr “X.X.X.88”
tacplus 0 key “X”
tacplus 0 authent ON
tacplus 0 localauth ON
Result:
SSH & Local: No
SSH & TACACS: Yes but no access
HTTPS & Local: No
HTTPS & TACACS: Yes but no access
The aim is to get TACACS working to access it via SSH and HTTPS.
The results of each bit of config is above.
Anyone any ideas? I have ran out!
Hi
First Local Access is on used when the router cannot connect to TACACS server and then uses local authentication.
from the user guide
Functions of the AAA services
If TACACS+ authentication is enabled, the request is sent to the TACACS+ server. If disabled, the router performs the authentication. At this point authorization is also performed. If TACACS+ authorization is disabled, the user access level is obtained from the local user table on the router. If TACACS+ authorization is enabled, an authorization request is sent to the TACACS+ server. The server returns a privilege level and may also return other attributed such as a new idle time for this session, which takes precedence over locally configured values.
When the user has been authenticated and access has been authorized, the login is allowed. If the connection is via telnet or SSH, a welcome message showing the access level and the method of authentication is displayed. If the access level was assigned locally the following message is displayed:
from here
https://www.digi.com/resources/documentation/digidocs/90001019/default.htm#tasks/t_configure_tacacs.htm%3FTocPath%3DConfiguring%2520security%2520|Use%2520TACACS%252B%2520to%2520control%2520access%2520to%2520the%2520router|_____0
so if you do not enable authorisation the username has to match a user in the local database and the level comes from there and not the server.
in relation to HTTP/HTTPS this can have issues in connection what tacacs you are using as a cisco acs there are settings to allow after login the session is authorised and not the pages
regards
James
Thanks James, do you have any further details in regards to the HTTP/HTTPS issue? This is the main thing i am trying to sort so im struggling where to start.