TACACS+ Over IPv6 Transport Configuration Example

From DocWiki

Revision as of 19:02, 30 September 2011 by Ayourtch (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

Introduction

This example is intended to show a sample configuration of TACACS+ over IPv6 transport.

Design

For the purposes of the configuration, we will have a host with the mac address 00:0c:01:02:03:04 attached to the interface GigabitEthernet0/1 - the same host will run the TACACS+ server and also be used as a source host to SSH to the router.


Configuration

This configuration does *not* correspond 100% to a production configuration in the places other than TACACS+ configuration - for example, the password encryption would need to be turned on. Use this configuration only as a base start off with.


Related show Commands

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which allows you to view an analysis of show command output.

1941-01#sh deb                                                                  
General OS:                                                                     
  TACACS access control debugging is on                                         
  TACACS+ events debugging is on                                                
  TACACS+ packets debugging is on                                               
  AAA Authentication debugging is on                                            
  AAA Authorization debugging is on                                             
                                                                                
1941-01#                                                                        
Sep 30 19:07:17.307: AAA/BIND(00000012): Bind i/f                               
Sep 30 19:07:19.307: AAA/AUTHEN/LOGIN (00000012): Pick method list 'FOO'        
Sep 30 19:07:19.307: TPLUS: Queuing AAA Authentication request 18 for processing
Sep 30 19:07:19.307: TPLUS: processing authentication start request id 18       
Sep 30 19:07:19.307: TPLUS: Authentication start packet created for 18(cisco)   
Sep 30 19:07:19.307: TPLUS: Using server 2001:DB8::20C:1FF:FE02:304             
Sep 30 19:07:19.307: TPLUS(00000012)/0/NB_WAIT/31730500: Started 5 sec timeout  
Sep 30 19:07:19.307: TPLUS(00000012)/0/NB_WAIT: socket event 2                  
Sep 30 19:07:19.307: T+: Version 192 (0xC0), type 1, seq 1, encryption 1        
Sep 30 19:07:19.307: T+: session_id 1018492586 (0x3CB4F6AA), dlen 45 (0x2D)     
Sep 30 19:07:19.307: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii       
Sep 30 19:07:19.307: T+: svc:LOGIN user_len:5 port_len:6 (0x6) raddr_len:26 (0x0
Sep 30 19:07:19.307: T+: user:  cisco                                           
Sep 30 19:07:19.307: T+: port:  tty132                                          
Sep 30 19:07:19.307: T+: rem_addr:  2001:DB8::20C:1FF:FE02:304                  
Sep 30 19:07:19.307: T+: data:                                                  
Sep 30 19:07:19.307: T+: End Packet                                             
Sep 30 19:07:19.307: TPLUS(00000012)/0/NB_WAIT: wrote entire 57 bytes request   
Sep 30 19:07:19.307: TPLUS(00000012)/0/READ: socket event 1                     
Sep 30 19:07:19.307: TPLUS(00000012)/0/READ: Would block while reading          
Sep 30 19:07:19.307: TPLUS(00000012)/0/READ: socket event 1                     
Sep 30 19:07:19.307: TPLUS(00000012)/0/READ: read entire 12 header bytes (expec)
Sep 30 19:07:19.307: TPLUS(00000012)/0/READ: socket event 1                     
Sep 30 19:07:19.307: TPLUS(00000012)/0/READ: read entire 37 bytes response      
Sep 30 19:07:19.307: T+: Version 192 (0xC0), type 1, seq 2, encryption 1        
Sep 30 19:07:19.307: T+: session_id 1018492586 (0x3CB4F6AA), dlen 25 (0x19)     
Sep 30 19:07:19.307: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:19, data_len:0 
Sep 30 19:07:19.307: T+: msg:  Welcome 0x0A  0x0A Password:                     
Sep 30 19:07:19.307: T+: data:                                                  
Sep 30 19:07:19.307: T+: End Packet                                             
Sep 30 19:07:19.307: TPLUS(00000012)/0/31730500: Processing the reply packet    
Sep 30 19:07:19.307: TPLUS: Received authen response status GET_PASSWORD (8)

! ---- The ssh session emits the "password:" prompt and awaits for the password to be entered.
    
Sep 30 19:07:32.107: TPLUS: Queuing AAA Authentication request 18 for processing
Sep 30 19:07:32.107: TPLUS: processing authentication continue request id 18    
Sep 30 19:07:32.107: TPLUS: Authentication continue packet generated for 18     
Sep 30 19:07:32.107: TPLUS(00000012)/0/WRITE/31730500: Started 5 sec timeout    
Sep 30 19:07:32.107: T+: Version 192 (0xC0), type 1, seq 3, encryption 1        
Sep 30 19:07:32.107: T+: session_id 1018492586 (0x3CB4F6AA), dlen 10 (0xA)      
Sep 30 19:07:32.107: T+: AUTHEN/CONT msg_len:5 (0x5), data_len:0 (0x0) flags:0x0
Sep 30 19:07:32.107: T+: User msg: <elided>                                     
Sep 30 19:07:32.107: T+: User data:                                             
Sep 30 19:07:32.107: T+: End Packet                                             
Sep 30 19:07:32.107: TPLUS(00000012)/0/WRITE: wrote entire 22 bytes request     
Sep 30 19:07:32.107: TPLUS(00000012)/0/READ: socket event 1                     
Sep 30 19:07:32.107: TPLUS(00000012)/0/READ: read entire 12 header bytes (expec)
Sep 30 19:07:32.107: TPLUS(00000012)/0/READ: socket event 1                     
Sep 30 19:07:32.107: TPLUS(00000012)/0/READ: read entire 18 bytes response      
Sep 30 19:07:32.107: T+: Version 192 (0xC0), type 1, seq 4, encryption 1        
Sep 30 19:07:32.107: T+: session_id 1018492586 (0x3CB4F6AA), dlen 6 (0x6)       
Sep 30 19:07:32.107: T+: AUTHEN/REPLY status:1 flags:0x0 msg_len:0, data_len:0  
Sep 30 19:07:32.107: T+: msg:                                                   
Sep 30 19:07:32.107: T+: data:                                                  
Sep 30 19:07:32.107: T+: End Packet                                             
Sep 30 19:07:32.107: TPLUS(00000012)/0/31730500: Processing the reply packet    
Sep 30 19:07:32.107: TPLUS: Received authen response status PASS (2)            
Sep 30 19:07:32.111: AAA/AUTHOR (00000012): Method list id=0 not configured. Skr
1941-01#                                                                        
1941-01#                                                                        
1941-01#                                                                        
1941-01#                                                                        
Sep 30 19:07:38.627: AAA/AUTHOR: auth_need : user= 'cisco' ruser= '1941-01'rem_'
Sep 30 19:07:38.627: AAA: parse name=tty132 idb type=-1 tty=-1                  
Sep 30 19:07:38.627: AAA: name=tty132 flags=0x11 type=5 shelf=0 slot=0 adapter=0
Sep 30 19:07:38.627: AAA/MEMORY: create_user (0x296F9D2C) user='cisco' ruser='N)
Sep 30 19:07:38.627: AAA/AUTHEN/START (3968405663): port='tty132' list='' actioE
Sep 30 19:07:38.627: AAA/AUTHEN/START (3968405663): console enable - default to)
Sep 30 19:07:38.627: AAA/AUTHEN/START (3968405663): Method=ENABLE               
Sep 30 19:07:38.627: AAA/AUTHEN (3968405663): status = GETPASS     

!  ---- incorrect enable password is entered
             
Sep 30 19:07:43.447: AAA/AUTHEN/CONT (3968405663): continue_login (user='(undef)
Sep 30 19:07:43.447: AAA/AUTHEN (3968405663): status = GETPASS                  
Sep 30 19:07:43.447: AAA/AUTHEN/CONT (3968405663): Method=ENABLE                
Sep 30 19:07:43.451: AAA/AUTHEN(3968405663): password incorrect                 
Sep 30 19:07:43.451: AAA/AUTHEN (3968405663): status = FAIL                     
Sep 30 19:07:43.451: AAA/MEMORY: free_user (0x296F9D2C) user='NULL' ruser='NULL)
Sep 30 19:07:43.451: %SYS-5-PRIV_AUTH_FAIL: Authentication to privilege level 1)
1941-01#                                                                        
1941-01#                                                                        
1941-01#                                                                        
Sep 30 19:07:48.487: AAA/AUTHOR: auth_need : user= 'cisco' ruser= '1941-01'rem_'
Sep 30 19:07:48.491: AAA: parse name=tty132 idb type=-1 tty=-1                  
Sep 30 19:07:48.491: AAA: name=tty132 flags=0x11 type=5 shelf=0 slot=0 adapter=0
Sep 30 19:07:48.491: AAA/MEMORY: create_user (0x313CD830) user='cisco' ruser='N)
Sep 30 19:07:48.491: AAA/AUTHEN/START (1229564639): port='tty132' list='' actioE
Sep 30 19:07:48.491: AAA/AUTHEN/START (1229564639): console enable - default to)
Sep 30 19:07:48.491: AAA/AUTHEN/START (1229564639): Method=ENABLE               
Sep 30 19:07:48.491: AAA/AUTHEN (1229564639): status = GETPASS     

! --- The correct enable password is entered this time
             
Sep 30 19:07:54.947: AAA/AUTHEN/CONT (1229564639): continue_login (user='(undef)
Sep 30 19:07:54.947: AAA/AUTHEN (1229564639): status = GETPASS                  
Sep 30 19:07:54.947: AAA/AUTHEN/CONT (1229564639): Method=ENABLE                
Sep 30 19:07:54.951: AAA/AUTHEN (1229564639): status = PASS                     
Sep 30 19:07:54.951: AAA/MEMORY: free_user (0x313CD830) user='NULL' ruser='NULL)
1941-01# 

Show running-config

Current configuration : 2781 bytes                                              
!                                                                               
! Last configuration change at 18:55:35 UTC Fri Sep 30 2011 by ayourtch         
version 15.2                                                                    
service timestamps debug datetime msec                                          
service timestamps log datetime msec                                            
no service password-encryption                                                  
!                                                                               
hostname 1941-01                                                                
!                                                                               
boot-start-marker                                                               
boot system flash flash:/c1900-universalk9-mz.SPA.152-1.T                       
boot-end-marker                                                                 
!                                                                               
!                                                                               
enable secret 5 $1$nJGe$kj6JHz6Inhq1UN883NX7n1                                  
!                                                                               
aaa new-model                                                                   
!                                                                               
!                                                                               
aaa group server tacacs+ FOO                                                    
 server name FOO                                                                
!                                                                               
aaa authentication login default local enable none                              
aaa authentication login FOO group FOO                                          
aaa authentication login LCL local enable none                                  
!                                                                               
!                                                                               
!                                                                               
!                                                                               
!                                                                               
aaa session-id common                                                           
!                                                                               
!                                                                               
ipv6 unicast-routing                                                            
ipv6 cef                                                                        
ip auth-proxy max-login-attempts 5                                              
ip admission max-login-attempts 5                                               
!                                                                               
!                                                                               
!                                                                                                                                                              
ip dhcp pool INT2                                                               
 network 192.168.2.0 255.255.255.0                                              
 dns-server 144.254.10.123 64.103.101.184 144.254.71.184                        
!                                                                               
!                                                                               
no ip domain lookup                                                             
ip domain name cisco.com                                                        
ip cef                                                                          
!                                                                               
multilink bundle-name authenticated                                             
!                                                                               
crypto pki token default removal timeout 0                                      
!                                                                               
!                                                                               
license udi pid CISCO1941/K9 sn FTX140980GP                                     
license boot module c1900 technology-package securityk9                         
license boot module c1900 technology-package datak9                             
!                                                                               
!                                                                               
username ayourtch privilege 15 password 0 cisco123                              
username jgriviau privilege 15 password 0 cisco123                              
!                                                                               
redundancy                                                                      
!                                                                               
!                                                                               
!                                                                               
!                                                                               
!                                                                               
!                                                                               
!                                                                               
!                                                                               
!                                                                               
!                                                                               
!                                                                               
!                                                                               
!                                                                               
!                                                                               
interface Embedded-Service-Engine0/0                                            
 no ip address                                                                  
 shutdown                                                                       
!                                                                               
interface GigabitEthernet0/0                                                    
 no ip address        
 ip virtual-reassembly in                                                       
 load-interval 30                                                               
 duplex auto                                                                    
 speed auto                                                                     
 no cdp enable                                                                  
!                                                                               
interface GigabitEthernet0/1                                                    
 ip address 192.168.2.1 255.255.255.0                                           
 ip nbar protocol-discovery                                                     
 ip virtual-reassembly in                                                       
 load-interval 30                                                               
 duplex auto                                                                    
 speed auto                                                                     
 ipv6 address 2001:DB8::2/64                                                    
!                                                                               
ip forward-protocol nd                                                          
!                                                                               
no ip http server                                                               
no ip http secure-server                                                        
!                                                                               
!                                                                               
!                                                                               
!                                                                               
!                                                                               
!                                                                               
tacacs server FOO                                                               
 address ipv6 2001:DB8::20C:1FF:FE02:304                                        
 key cisco123                                                                   
 port 4949                                                                      
!                                                                               
!                                                                               
!                                                                               
control-plane                                                                   
!                                                                               
!                                                                               
!                                                                               
line con 0                                                                      
 exec-timeout 0 0                                                               
line aux 0                                                                      
line 2                                                                          
 no activation-character                                                        
 no exec                                                                        
 transport preferred none                                                       
 transport input all                                                            
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh                  
 stopbits 1                                                                     
line vty 0 4                                                                    
 login authentication FOO                                                       
 transport input ssh                                                            
line vty 5 100                                                                  
 login authentication FOO                                                       
 transport input ssh                                                            
line vty 101 200                                                                
 login authentication LCL                                                       
 transport input telnet                                                         
!                                                                               
scheduler allocate 20000 1000                                                   
end                                                                             
     

Related Information

Technical Support & Documentation - Cisco Systems

Rating: 2.5/5 (2 votes cast)

Personal tools