Hi rene, im currently studying CCNP route and this is one of the topics, my question is, on the exam do we need to configure the TACACS+ server? cause i dont have a linux, i cant simulate this one. or do we only need to understand how TACACS+ works? thank you
Hi John,
For CCNP ROUTE you only need to know how to configure TACACS+ on Cisco devices, no need to worry about the server.
Rene
Got this set up on a raspberry pi fairly easily. Thanks!
Hi,
Why you are given priv-lvl = 15 to all groups ?
What I need to do get the enable mode ( priv lvl 15) once they enter user name and password
Thanks
Hello Sims
You can adjust the privilege level to whatever you want. In the example in the lesson, a privilege level of 15 is given to all users, but you can change that for whatever users you want.
A privilege level of 15 will bypass any use of the enable password to get to privilege executive mode.
I hope this has been helpful!
Laz
Hi,
Keeping privilege level 15 and limiting certain commands only for a particular group
and what is default service = permit
Thanks
Hello Sims
If you look at the lesson, you will see that there is a group called “admin” that is configured at priv-lvl 15 and has specific commands such as “username” “enable” and “configure” that are allowed. Similarly, you have the “sysadmin” group which is also at priv-lvl 15 but has a more limited set of commands. For example, take a look at the following limitation:
cmd = interface {
permit FastEthernet.*
permit GigabitEthernet.*
This set of commands only allows this group to access the FastEthernet and GigabitEthernet interface configurations, and not serial, loopback, TenGigabit, or VLAN interfaces. In contrast, the “admin” group had the following for this section:
cmd = interface {
permit .*
which essentially means permit everything.
Now the key to all of this is the “default service = permit” command, as you mentioned. By default, the TACACS+ server implicitly denies all commands. You can however use the default service = permit command to change this default behaviour so TACACS+ will permit any commands that you don’t explicitly deny.
In the lesson, the admin group has this set while the sysadmin does not. And for this reason, you can see how the commands listed are dealt with in a different manner.
I hope this has been helpful!
Laz
Hi,
can you tell where we use “default attribute = permit” and what does it mean
Thanks
Hello Sims
The “default attribute” syntax specifies the default attribute permission for a particular service authorization.
Some actions when authorizing services (e.g. when matching attributes are not found) depend on how the default is configured. This particular command changes the default from deny to permit for the particular user and service.
I hope this has been helpful!
Laz
Hi,
Incase if tacacs server fails , the authentication and command authorization also fails ,
how to overcome this .
- is it possible permit "router ospf command " only inside the vrf ?
Thanks
Hi,
What is "single-connection port " is in tacacas configuration and when to use it ?
Thanks
Hi can you give an example for this ?
Thanks
Hello Sims
The “single-connection” keyword in the configuration of the TACACS server host command is used to maintain a single open TCP connection between the router and the server, rather than have the router open and close a TCP connection each time it must communicate. This improves the efficiency in the communication between the router and the server. more info on this can be found at the following Cisco documentation:
As for the default attribute syntax, you can see several examples in this TACACs documentation. Take a look at the section titled CONFIGURING DEFAULT AUTHORIZATION.
I hope this has been helpful!
Laz
in my config A privilege level of 15 don’t bypass any use of the enable password. when i want to enter enable mode i get % Error in authentication message
i have changed only key host ip and joe user password in tac_plus.conf file
Hello Tural
When employing a privilege level of 15 using the local user database, then you do indeed bypass any use of the enable mechanism. Privilege level 15 is actually called privileged EXEC mode, as can be seen in this Cisco documentation, which is the mode you enter when you enter the enable keyword and the appropriate password.
However, when you use TACACS, it operates a little differently. In this case, the privilege level is determined and configured dynamically by the TACACs server when logging in. If TACACs bestows a privilege level of 15, then you won’t need to enter the enable password. However, if TACACs does not give such a privilege level, then you will need to use the enable command to get into privileged EXEC mode.
If you are getting “%Error in authentication” error message, then this could be due to several factors including incorrect credentials, TACACs server unavailability, a misconfiguration, or network issues. This may not be a trivial issue, so you must troubleshoot all of these contingencies to determine the specific problem. Let us know how you get a long so that we can help you further…
I hope this has been helpful!
Laz