Verifying TACACS+

Verifying TACACS+

Troubleshooting and verifying TACACS+ can be rather complex because it’s used so often with other features, such as PPP. Remember to use the troubleshooting commands associated with any protocols or technologies working with TACACS+.

The show Commands

Two show commands that are useful in debugging AAA are the following:

show running-config

To verify local TACACS+ is configured correctly, enter

show tacacs

To verify network connectivity between NAS and AAA server

The debug Commands

Cisco IOS debug command output provides a valuable source of information and feedback concerning state transitions and functions within the AAA environment. In addition to debug command output gathered directly from devices running Cisco IOS, the Cisco AAA server can be configured to collect operational diagnostics. Use the following debug commands to capture AAA-related transitions and functions.

debug condition user username

Sets conditional debugging for a specific user and generates output debugs related to the user

debug aaa authentication

Displays authentication information with TACACS+ client/ server interaction

debug aaa authorization

Displays authorization information with TACACS+ client/ server interaction

debug aaa accounting

Displays accounting information with TACACS+ client/server interaction

debug tacacs

Displays TACACS+ interaction between the IOS client and the AAA server

debug ppp negotiation

Sees if a client is passing PPP negotiation

debug ppp authentication

Sees if a client is passing authentication

debug ppp error

Displays protocol errors and error statistics associated with PPP connection negotiation and operation

Configure NAS to RADIUS Server Communication

Chapter 4 looked at the various commands to implement AAA features on the NAS. This chapter reviews the basic commands to allow the AAA client running on a NAS to locate and communicate with Cisco Secure ACS RADIUS+ server.

To define one or more RADIUS servers, use the radius-server host global configuration command. Use the no form of this command to delete the specified RADIUS host. The syntax is

Rtr1(config)#radius-server host {hostname | ip-address} [auth-port port-number]
?[acct-port port-number] [timeout seconds] [retransmit retries] [key string]
?[alias{hostname | ip-address}]
Rtr1(config)#no radius-server host {hostname | ip-address} [auth-port port-number]
[acct-port port-number] [timeout seconds] [retransmit retries] [key string]

hostname

DNS name of the RADIUS server.

ip-address

IP address of the RADIUS server.

auth-port

(Optional) To specify a UDP destination port for authentication requests.

port-number

(Optional) Port number for authentication requests. The host isn’t used for authentication if set to 0.

acct-port

(Optional) To specify a UDP destination port for accounting requests.

port-number

(Optional) Port number for accounting requests. The host isn’t used for accounting if set to 0.

Use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order they’re specified.

The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication.

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server host host1.domain.com

The next example defines port 12 as the destination port for authentication requests and port 16 as the destination port for accounting requests on a RADIUS host named 192.168.1.4. Because entering a line resets all the port numbers, you must specify a host and configure both the accounting and authentication ports on a single line.

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server host 192.168.1.4 auth-port 12 acct-port 16

To use separate servers for accounting and authentication, use the zero port value as appropriate. The following example specifies that RADIUS server 192.168.1.4 be used for accounting, but not for authentication, and RADIUS server host1 be used for authentication, but not for accounting:

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server host 192.168.1.4 auth-port 0
Rtr1(config)#radius-server host host1.domain.com acct-port 0

Define RADIUS Server Key Option

The authentication and encryption key must be set using the radius-server key global configuration command. Use the no form of this command to disable the key.

Rtr1(config)#radius-server key key Rtr1(config)#no radius-server key [key]

key

A character entry, this key must match the key used on the RADIUS daemon. Any leading spaces are ignored, but spaces within and at the end of the key are not. Don’t enclose the key in quotation marks unless they’re part of the key.

The following example shows an AAA RADIUS implementation with the authentication and encryption key set to seattle19:

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server host 192.168.1.4
Rtr1(config)#radius-server key seattle19



Part III: Virtual Private Networks (VPNs)