Using a TACACS server to authenticate SSH login: Cisco IOS
Here we have a TACACS server at 192.168.0.1, with a password called secret, and a couple of usernames.
Step 1: Create a local user and pass, and enable password to ensure you can get in in the event of the TACACS server failing
Router(config)#username admin privilege 15 password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password
Router(config)#username admin privilege 15 password 0 ?
LINE The UNENCRYPTED (cleartext) user password
Router(config)#username admin privilege 15 password 0 cisco
Enable password: (Options below)
Router(config)#
enable password ?
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) ‘enable’ password
level Set exec level password
Router(config)#enable secret ?
0 Specifies an UNENCRYPTED password will follow
5 Specifies an ENCRYPTED secret will follow
LINE The UNENCRYPTED (cleartext) ‘enable’ secret
level Set exec level password
Router(config)#enable secret 0 test
Step 2 Configure the router to accept TACACS
Router(config)#aaa new-model (enables aaa on router and hence makes tacacs possible)
Router(config)#tacacs-server host 192.168.0.1
Router(config)#tacacs-server key secret (Here, secret is a password which has been set up on the TACACS server)
Step 3: Change the default name of the router to so that SSH can be enabled.
Router(config)#hostname R0
Step 4: Create an aaa authentication group (called SSH-LOGIN for clarity but you could call it ‘Ethel’ if you wish)
R0(config)#aaa authentication login SSH-LOGIN group tacacs+
Step 5: Enable SSH
(First, configure domain name, and then generate RSA key, otherwise SSH won’t work)
R0(config)#ip domain-name test.com
R0(config)#crypto key generate rsa
The name for the keys will be: R0.test.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable…[OK]
R0(config)#line vty 0 4
R0(config-line)#transport input ssh
R0(config-line)#login authentication SSH-LOGIN
R0(config-line)#END