Cisco Tacacs+ Login Asking for ENABLE Password & Logs Not Working

ciscotacacs

I am new to TACACS so please bear me with my novice level questions 🙂

I have configured TACACS+ on Ubuntu. now I can login to switch with users defined in TACACS+ server. I have created two users, one for support, one for admin purposes.

Q1-

I want to allow only fixed sets of CMD's for SUPPORT group.

Q2-

Log files in /var/log/tac* are empty. how can I enable logs that which user is logging to which switch using tacacs+ authentication?

Following is my TACACS server configuration key = testing123

accounting file = /var/log/tacplus.log
default authentication = file /etc/passwd
group = support {    default service = denyservice = shell {priv-lvl = 15}cmd = interface { permit [faFAgiGI].* }}
group = unicorns {
    default service = permit
    service = exec {
    priv-lvl = 15
    }
}
user = mary {
    name = "Network Support"
    member = support
}
user = tina {
    name = "Network Unicorn"
    member = unicorns
}

Following is my switch configuration

aaa new-model
aaa authentication login default local group tacacs+ enable
tacacs-server host 2.3.4.5
tacacs-server key 0 testing123

Best Answer

I want to allow only fixed sets of CMD's for SUPPORT group.

This issue is two-fold:

  1. You need to configure your device to use TACACS for authorization:
(config)#aaa authorization commands 15 ...
(config)#aaa authorization config-commands
(config)#aaa authorization exec default ...
  1. Your tac_plus config looks weird. Changing it so that it's in more of a block style:
group = support {
    default service = deny

    service = shell {
        priv-lvl = 15
    }

    cmd = interface {
        permit [faFAgiGI].* 
    }
}

There are some issues with this.

  1. Since your default service is deny and you only have an interface subcommand defined, users in the support group won't be able to do anything at all - because they'd need to get into configure mode in order to use the interface subcommand.
  2. Since you're dropping users in the support group to priv 15 in the config, they won't need to enable. If you want them to have to enable when they log in, then remove the set priv-lvl = 15 line in the config and configure AAA on the device to use TACACS for accessing enable mode:
(config)#aaa authentication enable ...
  1. The cmd definitions need to be moved inside of the service = shell block.

Here's a revised config for you to try out:

group = support {
    default service = deny

    service = shell {
        set priv-lvl = 15

        cmd = show {
            permit .*
        }

        cmd = configure {
            permit ^terminal
        }

        cmd = interface {
            permit [faFAgiGI].* 
        }
    }
}

Log files in /var/log/tac* are empty. how can I enable logs that which user is logging to which switch using tacacs+ authentication?

This might depend on the tac_plus implementation you're using. Some implementations allow you to specify log files for authentication/authorization/accounting. Either way, you still need to configure the accounting portion on the device:

(config)#aaa accounting commands ...
Related Topic