Verifying TACACS+

Troubleshooting and verifying TACACS+ can be rather complex because it’s used so often with other features, such as PPP. Remember to use the troubleshooting commands associated with any protocols or technologies working with TACACS+.

The show Commands

Two show commands that are useful in debugging AAA are the following:

show running-config	To verify local TACACS+ is configured correctly, enter
show tacacs	To verify network connectivity between NAS and AAA server

The debug Commands

Cisco IOS debug command output provides a valuable source of information and feedback concerning state transitions and functions within the AAA environment. In addition to debug command output gathered directly from devices running Cisco IOS, the Cisco AAA server can be configured to collect operational diagnostics. Use the following debug commands to capture AAA-related transitions and functions.

debug condition user username	Sets conditional debugging for a specific user and generates output debugs related to the user
debug aaa authentication	Displays authentication information with TACACS+ client/ server interaction
debug aaa authorization	Displays authorization information with TACACS+ client/ server interaction
debug aaa accounting	Displays accounting information with TACACS+ client/server interaction
debug tacacs	Displays TACACS+ interaction between the IOS client and the AAA server
debug ppp negotiation	Sees if a client is passing PPP negotiation
debug ppp authentication	Sees if a client is passing authentication
debug ppp error	Displays protocol errors and error statistics associated with PPP connection negotiation and operation

Configure NAS to RADIUS Server Communication

Chapter 4 looked at the various commands to implement AAA features on the NAS. This chapter reviews the basic commands to allow the AAA client running on a NAS to locate and communicate with Cisco Secure ACS RADIUS+ server.

To define one or more RADIUS servers, use the radius-server host global configuration command. Use the no form of this command to delete the specified RADIUS host. The syntax is

Rtr1(config)#radius-server host {hostname | ip-address} [auth-port port-number]
?[acct-port port-number] [timeout seconds] [retransmit retries] [key string]
?[alias{hostname | ip-address}]
Rtr1(config)#no radius-server host {hostname | ip-address} [auth-port port-number]
[acct-port port-number] [timeout seconds] [retransmit retries] [key string]

hostname	DNS name of the RADIUS server.
ip-address	IP address of the RADIUS server.
auth-port	(Optional) To specify a UDP destination port for authentication requests.
port-number	(Optional) Port number for authentication requests. The host isn’t used for authentication if set to 0.
acct-port	(Optional) To specify a UDP destination port for accounting requests.
port-number	(Optional) Port number for accounting requests. The host isn’t used for accounting if set to 0.

Use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order they’re specified.

The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication.

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server host host1.domain.com

The next example defines port 12 as the destination port for authentication requests and port 16 as the destination port for accounting requests on a RADIUS host named 192.168.1.4. Because entering a line resets all the port numbers, you must specify a host and configure both the accounting and authentication ports on a single line.

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server host 192.168.1.4 auth-port 12 acct-port 16

To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example specifies that RADIUS server 192.168.1.4 be used for accounting, but not for authentication, and RADIUS server host1 be used for authentication, but not for accounting:

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server host 192.168.1.4 auth-port 0
Rtr1(config)#radius-server host host1.domain.com acct-port 0

Define RADIUS Server Key Option

The authentication and encryption key must be set using the radius-server key global configuration command. Use the no form of this command to disable the key.

Rtr1(config)#radius-server key key Rtr1(config)#no radius-server key [key]

key

A character entry, this key must match the key used on the RADIUS daemon. Any leading spaces are ignored, but spaces within and at the end of the key are not. Don’t enclose the key in quotation marks unless they’re part of the key.

The following example shows an AAA RADIUS implementation with the authentication and encryption key set to seattle19:

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server host 192.168.1.4
Rtr1(config)#radius-server key seattle19

BackCover

CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide

Introduction

Part I: Introduction to Network Security

Part II: Securing the Network Perimeter

Chapter 3: Cisco AAA Security Technology

Chapter 4: Cisco Secure ACS and TACACS+/RADIUS Technologies

Describe Cisco Secure ACS

Features and Architecture of Cisco Secure ACS for Windows

Features of CiscoSecure ACS for UNIX

Installing Cisco Secure ACS 3.0 for Windows

Administering and Troubleshooting Cisco Secure ACS for Windows

TACACS+ Overview

Configuring Cisco Secure ACS and TACACS+

Verifying TACACS+

Chapter Review

Chapter 5: Securing Cisco Perimeter Routers

Chapter 6: IOS Firewall Feature Set - CBAC

Chapter 7: IOS Firewall - Intrusion Detection System

Chapter 8: IOS Firewall - Authentication Proxy

Part III: Virtual Private Networks (VPNs)

Part IV: PIX Firewalls

Part V: Intrusion Detection Systems (IDS)

Part VI: Cisco SAFE Implementation

Appendix A: Access Control Lists

Appendix B: About the CD

List of Figures

List of Tables

List of Sidebars