TACACS+ Servers for AAA

This chapter describes how to configure TACACS+ servers used in AAA.

About TACACS+ Servers for AAA

The ASA supports TACACS+ server authentication with the following protocols: ASCII, PAP, CHAP, and MS-CHAPv1.

TACACS+ Attributes

The ASA provides support for TACACS+ attributes. TACACS+ attributes separate the functions of authentication, authorization, and accounting. The protocol supports two types of attributes: mandatory and optional. Both the server and client must understand a mandatory attribute, and the mandatory attribute must be applied to the user. An optional attribute may or may not be understood or used.


Note


To use TACACS+ attributes, make sure that you have enabled AAA services on the NAS.


The following table lists supported TACACS+ authorization response attributes for cut-through-proxy connections.

Table 1. Supported TACACS+ Authorization Response Attributes

Attribute

Description

acl

Identifies a locally configured ACL to be applied to the connection.

idletime

Indicates the amount of inactivity in minutes that is allowed before the authenticated user session is terminated.

timeout

Specifies the absolute amount of time in minutes that authentication credentials remain active before the authenticated user session is terminated.

The following table lists supported TACACS+ accounting attributes.

.

Table 2. Supported TACACS+ Accounting Attributes

Attribute

Description

bytes_in

Specifies the number of input bytes transferred during this connection (stop records only).

bytes_out

Specifies the number of output bytes transferred during this connection (stop records only).

cmd

Defines the command executed (command accounting only).

disc-cause

Indicates the numeric code that identifies the reason for disconnecting (stop records only).

elapsed_time

Defines the elapsed time in seconds for the connection (stop records only).

foreign_ip

Specifies the IP address of the client for tunnel connections. Defines the address on the lowest security interface for cut-through-proxy connections.

local_ip

Specifies the IP address that the client connected to for tunnel connections. Defines the address on the highest security interface for cut-through-proxy connections.

NAS port

Contains a session ID for the connection.

packs_in

Specifies the number of input packets transferred during this connection.

packs_out

Specifies the number of output packets transferred during this connection.

priv-level

Set to the user privilege level for command accounting requests or to 1 otherwise.

rem_iddr

Indicates the IP address of the client.

service

Specifies the service used. Always set to “shell” for command accounting only.

task_id

Specifies a unique task ID for the accounting transaction.

username

Indicates the name of the user.

Guidelines for TACACS+ Servers for AAA

This section describes the guidelines and limitation that you should check before configuring TACACS+ servers for AAA.

IPv6

The AAA server can use either an IPv4 or IPv6 address.

Additional Guidelines

  • You can have up to 200 server groups in single mode or 4 server groups per context in multiple mode.

  • Each group can have up to 16 servers in single mode or 8 servers in multiple mode.

  • For FPR1000, FPR2100, or FPR3100 Series that are running in ASA appliance mode, you must comply with these username conventions:

    • Must be Linux-valid usernames.

    • Must be lower-case only.

    • May include alphanumeric characters, period (.), or hyphen (-).

    • Must not include other special characters such as at sign (@) and slash (/).

Configure TACACS+ Servers

This section describes how to configure TACACS+ servers.

Procedure


Step 1

Configure TACACS+ Server Groups.

Step 2

Add a TACACS+ Server to a Group.

Step 3

(Optional) Add an Authentication Prompt.


Configure TACACS+ Server Groups

If you want to use a TACACS+ server for authentication, authorization, or accounting, you must first create at least one TACACS+ server group and add one or more servers to each group. You identify TACACS+ server groups by name.

To add a TACACS+ server group, perform the following steps:

Procedure


Step 1

Choose Configuration > Device Management > Users/AAA > AAA Server Groups.

Step 2

Click Add in the AAA Server Groups area.

The Add AAA Server Group dialog box appears.

Step 3

Enter a name for the group in the Server Group field.

Step 4

Choose the TACACS+ server type from the Protocol drop-down list:

Step 5

Click Simultaneous or Single in the Accounting Mode field.

In Single mode, the ASA sends accounting data to only one server.

In Simultaneous mode, the ASA sends accounting data to all servers in the group.

Step 6

Click Depletion or Timed in the Reactivation Mode field.

In Depletion mode, failed servers are reactivated only after all of the servers in the group are inactive. In depletion mode, when a server is deactivated, it remains inactive until all other servers in the group are inactive. When and if this occurs, all servers in the group are reactivated. This approach minimizes the occurrence of connection delays due to failed servers.

In Timed mode, failed servers are reactivated after 30 seconds of down time.

Step 7

If you chose the Depletion reactivation mode, enter a time interval in the Dead Time field.

The dead time is the duration of time, in minutes, that elapses between the disabling of the last server in a group and the subsequent re-enabling of all servers. Deadtime applies only if you configure fallback to the local database; authentication is attempted locally until the deadtime elapses.

Step 8

Add the maximum number of failed AAA transactions with a server to allow.

This option sets the number of failed AAA transactions before declaring a nonresponsive server to be inactive.

Step 9

Click OK.

The Add AAA Server Group dialog box closes, and the new server group is added to the AAA Server Groups table.

Step 10

Click Apply to save the changes to the running configuration.


Add a TACACS+ Server to a Group

To add a TACACS+ server to a group, perform the following steps:

Procedure


Step 1

Choose Configuration > Device Management > Users/AAA > AAA Server Groups.

Step 2

Click the server group to which you want to add a server.

Step 3

Click Add in the Servers in the Selected Group area.

The Add AAA Server Group dialog box appears for the server group.

Step 4

Choose the interface name on which the authentication server resides.

Step 5

Add either a server name or IP address for the server that you are adding to the group.

Step 6

Specify the timeout value for connection attempts to the server.

Specify the timeout interval (1-300 seconds) for the server; the default is 10 seconds. For each AAA transaction the ASA retries connection attempts (based on the retry interval) until the timeout is reached. If the number of consecutive failed transactions reaches the maximum-failed-attempts limit specified in the AAA server group, the AAA server is deactivated and the ASA starts sending requests to another AAA server if it is configured.

Step 7

Specify the server port. The server port is either port number 139, or the TCP port number used by the ASA to communicate with the TACACS+ server.

Step 8

Specify the server secret key. The shared secret key used to authenticate the TACACS+ server to the ASA. The server secret that you configure here should match the one that is configured on the TACACS+ server. If you do not know the server secret, ask the TACACS+ server administrator. The maximum field length is 64 characters.

Step 9

Click OK.

The Add AAA Server Group dialog box closes, and the AAA server is added to the AAA server group.

Step 10

Click Apply to save the changes to the running configuration.


Add an Authentication Prompt

You can specify text to display to the user during the AAA authentication challenge process. You can specify the AAA challenge text for HTTP, FTP, and Telnet access through the ASA when requiring user authentication from TACACS+ servers. This text is primarily for cosmetic purposes and appears above the username and password prompts that users see when they log in.

If you do not specify an authentication prompt, users see the following when authenticating with a TACACS+ server:

Connection Type

Default Prompt

FTP

FTP authentication

HTTP

HTTP authentication

Telnet

None

To add an authentication prompt, perform the following steps:

Procedure


Step 1

Choose Configuration > Device Management > Users/AAA > Authentication Prompt.

Step 2

Add text to appear above the username and password prompts that users see when they log in.

The following table shows the allowed character limits for authentication prompts:

Application

Character Limit for Authentication Prompt

Microsoft Internet Explorer

37

Telnet

235

FTP

235

Step 3

Add messages in the User accepted message and User rejected message fields.

If the user authentication occurs from Telnet, you can use the User accepted message and User rejected message options to display different status prompts to indicate that the authentication attempt is accepted or rejected by the AAA server.

If the AAA server authenticates the user, the ASA displays the User accepted message text, if specified, to the user; otherwise, the ASA displays the User rejected message text, if specified. Authentication of HTTP and FTP sessions displays only the challenge text at the prompt. The User accepted message and User rejected message text are not displayed.

Step 4

Click Apply to save the changes to the running configuration.


Test TACACS+ Server Authentication and Authorization

To determine whether the ASA can contact a TACACS+ server and authenticate or authorize a user, perform the following steps:

Procedure


Step 1

Choose Configuration > Device Management > Users/AAA > AAA Server Groups.

Step 2

Click the server group in which the server resides.

Step 3

Click the server that you want to test.

Step 4

Click Test.

The Test AAA Server dialog box appears for the selected server.

Step 5

Click the type of test that you want to perform—Authentication or Authorization.

Step 6

Enter a username.

Step 7

If you are testing authentication, enter the password for the username.

Step 8

Click OK.

The ASA sends an authentication or authorization test message to the server. If the test fails, an error message appears.


Monitoring TACACS+ Servers for AAA

See the following commands for monitoring TACACS+ servers for AAA:

  • Monitoring > Properties > AAA Servers

    This pane shows the configured TACACS+ server statistics.

  • Tools > Command Line Interface

    This pane allows you to issue various non-interactive commands and view results.

History for TACACS+ Servers for AAA

Table 3. History for TACACS+ Servers for AAA

Feature Name

Platform Releases

Description

TACACS+ Servers

7.0(1)

Describes how to configure TACACS+ servers for AAA.

We introduced the following screens:

Configuration > Device Management > Users/AAA > AAA Server Groups


Configuration > Device Management > Users/AAA > Authentication Prompt.

TACACS+ servers with IPv6 addresses for AAA

9.7(1)

You can now use either an IPv4 or IPv6 address for the AAA server.

Increased limits for AAA server groups and servers per group.

9.13(1)

You can configure more AAA server groups. In single context mode, you can configure 200 AAA server groups (the former limit was 100). In multiple context mode, you can configure 8 (the former limit was 4).

In addition, in multiple context mode, you can configure 8 servers per group (the former limit was 4 servers per group). The single context mode per-group limit of 16 remains unchanged.

We modified the AAA screens to accept these new limits.