Securing access to network devices in real-world scenarios is of utmost importance to protect against vulnerabilities. This entails allowing only authenticated users to connect and configure these devices, either through Telnet or SSH or locally through console connections.
One method to enable access security on network devices like routers or Switch is by configuring security within the device’s local database, where usernames and passwords are authenticated internally.
Alternatively, a more robust solution involves leveraging an AAA server. AAA, which encompasses authentication, authorization, and accounting, can utilize Radius or TACACS+ authentication Method. These authentication method entails a dedicated server managing authorized user credentials for network device access. When a PC seeks access to a network device, such as a router or switch, it must provide a username and password, which are authenticated on the server through TACACS+ Authentication.
The process of securing network access can be broken down into three key components: authentication, authorization, and accounting. Authentication entails verifying the identity of the connecting user by requesting credentials. Authorization dictates the actions permissible for authenticated users on network devices. Accounting involves tracking and logging user activities for auditing and billing purposes.
In this blog post, I will show you how to configure a TACACS+ server using a sample network topology. If you are curious to learn Radius server configuration, We have a separate post on how to configure Radius Server in the packet tracer.
Network Topology
The network topology depicted in the image below comprises a router, a TACACS+ server, a switch, and two PCs. Our objective in this demonstration is to enable TACACS+ AAA services on the TACACS+ Server, configure access authentication between the router and the TACACS+ server, and create users for both PC1 and PC2 on the TACACS+ server. PC1 will utilize a console connection to access Router1, while PC2 will use Telnet.
How to Configure TACACS+ Server in Cisco Packet Tracer
Here are the steps to configure TACACS+ Server in Cisco Packet Tracer using the network topology shown above.
Step 1: Enable TACACS+ AAA Services on the TACACS Server
Tap on the TACACS+ Server and then navigate to Services>AAA to enable AAA services. Then select TACACS+ as the authentication protocol. Then Set up the necessary parameters, such as the radius port and secret key.
The IP address entered in the client IP section is the IP address of the router, whose access is being secured. The secret key acts as a passphrase, facilitating authentication between the router and the server. The Radius port is designated to specify the port number where TACACS authentication requests and responses are exchanged.
Step 2: Create Users on the TACACS Server
In the network topology, we have two users that are trying to gain access to the router: PC1 and PC2. PC1 will connect using a console connection, and PC2 will connect using Telnet. We need two users, one for PC1 and the other for PC2.
Step 3: Configure the interfaces of the router
Assign IP address to the interface of the router and labelled in the network topology;
R1(config)#interface gigabitEthernet0/1
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
Step 4: Configure Local Authentication on the Router
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#username admin privilege 15 password cisco
R1(config)#enable secret cisco
Here is a brief description of each of the above commands.
aaa new-model
: This command enables AAA services on the router.aaa authentication login default local
: This command specifies that for login authentication, the router should use the local username database.username admin privilege 15 password cisco
: This command creates a local username called “admin” with privilege level 15 (the highest privilege level, equivalent to “enable” mode) and assigns the password “cisco” to this username. This username/password pair will be used for authentication if theaaa authentication login default
command is configured to use local authentication.enable secret cisco
: This command sets the enable secret password to “cisco.” This password is used to protect privileged mode access (enable mode). When users try to enter enable mode, they will be prompted to enter this password.
Step 5: Enable TACACS-based authentication on the router
R1(config)#aaa authentication login TACACS+ group tacacs+
R1(config)#tacacs-server host 192.168.12.254 key 123456
Here is a brief description of he above commands;
R1(config)#aaa authentication login TACACS+ group tacacs+
:- It specifies that TACACS+ (Terminal Access Controller Access Control System Plus) is the authentication method to be used.
- The keyword “group” indicates that a group of TACACS+ servers will be used for authentication.
- The term “tacacs+” refers to a named server group defined in the configuration.
R1(config)#tacacs-server host 192.168.12.254 key 123456
:- This command is configuring the router (R1) to use a TACACS+ server for authentication.
- It specifies the IP address of the TACACS+ server (192.168.12.254) to which authentication requests will be sent.
- The “key” parameter specifies the shared secret key (123456) used for encrypting communication between the router and the TACACS+ server.
Step 6: Apply authentication settings to console & VTY lines
R1(config)#line console 0
R1(config-line)#login authentication default
R1(config-line)#exit
R1(config)#line vty 0 4
R1(config-line)#login authentication TACACS+
R1(config-line)#exit
Here is a brief explanation of each of the above commands;
line console 0
: This command enters configuration mode for the console line.login authentication default
: This command specifies that authentication for the console line should use the default method configured earlier which is the local authentication.line vty 0 4
: This command enters configuration mode for the VTY lines (telnet or SSH connections).login authentication TACACS+
: This command specifies that authentication for the VTY lines should use the TACACS+ method configured earlier.
Step 3: Testing the Configuration
We can test the configuration by trying to access the router from both PC1 and PC2. We will use a console connection on PC1 and a telnet connection on PC2.
On PC1:
Console connects to R1. You will be asked for a password and username before you can access the router.
Console to R1
User Access Verification
Username: admin
Password: cisco
R1>enable
Password: cisco
R1#
User Access Verification
Username: user1
Password: cisco
% Login invalid
Username: user2
Password: cisco
% Login invalid
On PC2
When you connect to the router, you will be asked for a password and username before you can access the router configuration terminal.
C:\>telnet 192.168.12.1
Trying 192.168.12.1 ...Open
User Access Verification
Username: admin
Password: cisco
% Login invalid
Username: user1
Password: cisco
R1>enable
Password: cisco
R1#
Username: user2
Password: cisco
R1>enable
Password: cisco
I am a passionate Networking Associate specializing in Telecommunications.
With a degree in Electronic engineering, I possess a strong understanding of electronic systems and the intricacies of telecommunications networks. I gained practical experience and valuable insights working for a prominent telecommunications company.
Additionally, I hold certifications in networking, which have solidified my expertise in network architecture, protocols, and optimization.
Through my writing skills, I aim to provide accurate and valuable knowledge in the networking field.
Connect with me on social media using the links below for more insights.
You can contact me using [email protected] or connect with me using any of the social media account linked below