TACACS+ Over IPv6 Transport Configuration Example
From DocWiki
Contents |
Introduction
This example is intended to show a sample configuration of TACACS+ over IPv6 transport.
Design
For the purposes of the configuration, we will have a host with the mac address 00:0c:01:02:03:04 attached to the interface GigabitEthernet0/1 - the same host will run the TACACS+ server and also be used as a source host to SSH to the router.
Configuration
This configuration does *not* correspond 100% to a production configuration in the places other than TACACS+ configuration - for example, the password encryption would need to be turned on. Use this configuration only as a base start off with.
Related show Commands
This section provides information you can use to confirm your configuration is working properly.
Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output.
1941-01#sh deb
General OS:
TACACS access control debugging is on
TACACS+ events debugging is on
TACACS+ packets debugging is on
AAA Authentication debugging is on
AAA Authorization debugging is on
1941-01#
Sep 30 19:07:17.307: AAA/BIND(00000012): Bind i/f
Sep 30 19:07:19.307: AAA/AUTHEN/LOGIN (00000012): Pick method list 'FOO'
Sep 30 19:07:19.307: TPLUS: Queuing AAA Authentication request 18 for processing
Sep 30 19:07:19.307: TPLUS: processing authentication start request id 18
Sep 30 19:07:19.307: TPLUS: Authentication start packet created for 18(cisco)
Sep 30 19:07:19.307: TPLUS: Using server 2001:DB8::20C:1FF:FE02:304
Sep 30 19:07:19.307: TPLUS(00000012)/0/NB_WAIT/31730500: Started 5 sec timeout
Sep 30 19:07:19.307: TPLUS(00000012)/0/NB_WAIT: socket event 2
Sep 30 19:07:19.307: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Sep 30 19:07:19.307: T+: session_id 1018492586 (0x3CB4F6AA), dlen 45 (0x2D)
Sep 30 19:07:19.307: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Sep 30 19:07:19.307: T+: svc:LOGIN user_len:5 port_len:6 (0x6) raddr_len:26 (0x0
Sep 30 19:07:19.307: T+: user: cisco
Sep 30 19:07:19.307: T+: port: tty132
Sep 30 19:07:19.307: T+: rem_addr: 2001:DB8::20C:1FF:FE02:304
Sep 30 19:07:19.307: T+: data:
Sep 30 19:07:19.307: T+: End Packet
Sep 30 19:07:19.307: TPLUS(00000012)/0/NB_WAIT: wrote entire 57 bytes request
Sep 30 19:07:19.307: TPLUS(00000012)/0/READ: socket event 1
Sep 30 19:07:19.307: TPLUS(00000012)/0/READ: Would block while reading
Sep 30 19:07:19.307: TPLUS(00000012)/0/READ: socket event 1
Sep 30 19:07:19.307: TPLUS(00000012)/0/READ: read entire 12 header bytes (expec)
Sep 30 19:07:19.307: TPLUS(00000012)/0/READ: socket event 1
Sep 30 19:07:19.307: TPLUS(00000012)/0/READ: read entire 37 bytes response
Sep 30 19:07:19.307: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Sep 30 19:07:19.307: T+: session_id 1018492586 (0x3CB4F6AA), dlen 25 (0x19)
Sep 30 19:07:19.307: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:19, data_len:0
Sep 30 19:07:19.307: T+: msg: Welcome 0x0A 0x0A Password:
Sep 30 19:07:19.307: T+: data:
Sep 30 19:07:19.307: T+: End Packet
Sep 30 19:07:19.307: TPLUS(00000012)/0/31730500: Processing the reply packet
Sep 30 19:07:19.307: TPLUS: Received authen response status GET_PASSWORD (8)
! ---- The ssh session emits the "password:" prompt and awaits for the password to be entered.
Sep 30 19:07:32.107: TPLUS: Queuing AAA Authentication request 18 for processing
Sep 30 19:07:32.107: TPLUS: processing authentication continue request id 18
Sep 30 19:07:32.107: TPLUS: Authentication continue packet generated for 18
Sep 30 19:07:32.107: TPLUS(00000012)/0/WRITE/31730500: Started 5 sec timeout
Sep 30 19:07:32.107: T+: Version 192 (0xC0), type 1, seq 3, encryption 1
Sep 30 19:07:32.107: T+: session_id 1018492586 (0x3CB4F6AA), dlen 10 (0xA)
Sep 30 19:07:32.107: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0) flags:0x0
Sep 30 19:07:32.107: T+: User msg: <elided>
Sep 30 19:07:32.107: T+: User data:
Sep 30 19:07:32.107: T+: End Packet
Sep 30 19:07:32.107: TPLUS(00000012)/0/WRITE: wrote entire 22 bytes request
Sep 30 19:07:32.107: TPLUS(00000012)/0/READ: socket event 1
Sep 30 19:07:32.107: TPLUS(00000012)/0/READ: read entire 12 header bytes (expec)
Sep 30 19:07:32.107: TPLUS(00000012)/0/READ: socket event 1
Sep 30 19:07:32.107: TPLUS(00000012)/0/READ: read entire 18 bytes response
Sep 30 19:07:32.107: T+: Version 192 (0xC0), type 1, seq 4, encryption 1
Sep 30 19:07:32.107: T+: session_id 1018492586 (0x3CB4F6AA), dlen 6 (0x6)
Sep 30 19:07:32.107: T+: AUTHEN/REPLY status:1 flags:0x0 msg_len:0, data_len:0
Sep 30 19:07:32.107: T+: msg:
Sep 30 19:07:32.107: T+: data:
Sep 30 19:07:32.107: T+: End Packet
Sep 30 19:07:32.107: TPLUS(00000012)/0/31730500: Processing the reply packet
Sep 30 19:07:32.107: TPLUS: Received authen response status PASS (2)
Sep 30 19:07:32.111: AAA/AUTHOR (00000012): Method list id=0 not configured. Skr
1941-01#
1941-01#
1941-01#
1941-01#
Sep 30 19:07:38.627: AAA/AUTHOR: auth_need : user= 'cisco' ruser= '1941-01'rem_'
Sep 30 19:07:38.627: AAA: parse name=tty132 idb type=-1 tty=-1
Sep 30 19:07:38.627: AAA: name=tty132 flags=0x11 type=5 shelf=0 slot=0 adapter=0
Sep 30 19:07:38.627: AAA/MEMORY: create_user (0x296F9D2C) user='cisco' ruser='N)
Sep 30 19:07:38.627: AAA/AUTHEN/START (3968405663): port='tty132' list='' actioE
Sep 30 19:07:38.627: AAA/AUTHEN/START (3968405663): console enable - default to)
Sep 30 19:07:38.627: AAA/AUTHEN/START (3968405663): Method=ENABLE
Sep 30 19:07:38.627: AAA/AUTHEN (3968405663): status = GETPASS
! ---- incorrect enable password is entered
Sep 30 19:07:43.447: AAA/AUTHEN/CONT (3968405663): continue_login (user='(undef)
Sep 30 19:07:43.447: AAA/AUTHEN (3968405663): status = GETPASS
Sep 30 19:07:43.447: AAA/AUTHEN/CONT (3968405663): Method=ENABLE
Sep 30 19:07:43.451: AAA/AUTHEN(3968405663): password incorrect
Sep 30 19:07:43.451: AAA/AUTHEN (3968405663): status = FAIL
Sep 30 19:07:43.451: AAA/MEMORY: free_user (0x296F9D2C) user='NULL' ruser='NULL)
Sep 30 19:07:43.451: %SYS-5-PRIV_AUTH_FAIL: Authentication to privilege level 1)
1941-01#
1941-01#
1941-01#
Sep 30 19:07:48.487: AAA/AUTHOR: auth_need : user= 'cisco' ruser= '1941-01'rem_'
Sep 30 19:07:48.491: AAA: parse name=tty132 idb type=-1 tty=-1
Sep 30 19:07:48.491: AAA: name=tty132 flags=0x11 type=5 shelf=0 slot=0 adapter=0
Sep 30 19:07:48.491: AAA/MEMORY: create_user (0x313CD830) user='cisco' ruser='N)
Sep 30 19:07:48.491: AAA/AUTHEN/START (1229564639): port='tty132' list='' actioE
Sep 30 19:07:48.491: AAA/AUTHEN/START (1229564639): console enable - default to)
Sep 30 19:07:48.491: AAA/AUTHEN/START (1229564639): Method=ENABLE
Sep 30 19:07:48.491: AAA/AUTHEN (1229564639): status = GETPASS
! --- The correct enable password is entered this time
Sep 30 19:07:54.947: AAA/AUTHEN/CONT (1229564639): continue_login (user='(undef)
Sep 30 19:07:54.947: AAA/AUTHEN (1229564639): status = GETPASS
Sep 30 19:07:54.947: AAA/AUTHEN/CONT (1229564639): Method=ENABLE
Sep 30 19:07:54.951: AAA/AUTHEN (1229564639): status = PASS
Sep 30 19:07:54.951: AAA/MEMORY: free_user (0x313CD830) user='NULL' ruser='NULL)
1941-01#
Show running-config
Current configuration : 2781 bytes
!
! Last configuration change at 18:55:35 UTC Fri Sep 30 2011 by ayourtch
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1941-01
!
boot-start-marker
boot system flash flash:/c1900-universalk9-mz.SPA.152-1.T
boot-end-marker
!
!
enable secret 5 $1$nJGe$kj6JHz6Inhq1UN883NX7n1
!
aaa new-model
!
!
aaa group server tacacs+ FOO
server name FOO
!
aaa authentication login default local enable none
aaa authentication login FOO group FOO
aaa authentication login LCL local enable none
!
!
!
!
!
aaa session-id common
!
!
ipv6 unicast-routing
ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
ip dhcp pool INT2
network 192.168.2.0 255.255.255.0
dns-server 144.254.10.123 64.103.101.184 144.254.71.184
!
!
no ip domain lookup
ip domain name cisco.com
ip cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1941/K9 sn XXXXXXXXXX
license boot module c1900 technology-package securityk9
license boot module c1900 technology-package datak9
!
!
username ayourtch privilege 15 password 0 cisco123
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nbar protocol-discovery
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
ipv6 address 2001:DB8::2/64
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
tacacs server FOO
address ipv6 2001:DB8::20C:1FF:FE02:304
key cisco123
port 4949
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login authentication FOO
transport input ssh
line vty 5 100
login authentication FOO
transport input ssh
line vty 101 200
login authentication LCL
transport input telnet
!
scheduler allocate 20000 1000
end
