index_157
UNCLASSIFIED
Implementing Security on Cisco Routers
Version 1.0g
UNCLASSIFIED
157
Central(config)# radius-server key W@t7a8y-2m@K3aKy
RADIUS servers are freely available and are in extensive use. To perform
authentication and authorization a RADIUS server uses attributes. These attributes
can be configured to allow/deny access to various router and network services. For
more details see the Security Configuration Guide on "Configuring RADIUS" and
"RADIUS Attributes" sections for more details.
TACACS+
Terminal Access Controller Access Control System plus (TACACS+) is the most
recent Cisco security protocol designed to provide accounting and flexible control of
authentication and authorization services. TACACS+ is implemented by Cisco using
the AAA mechanisms and provides for the centralized validation of users using
routers and network services. TACACS+ protects communications using a shared
secret key between the network device and central server. TACACS+ was designed
with Cisco implementations in mind so it offers a wide range of AAA services
including full auditing of Cisco AAA accounting events.
The primary commands used for configuring TACACS+ on a Cisco router are:
§ tacacs-server host {hostname | ip-address} [port port-
number] [key string] command can be used to specify the host, IP
address or DNS name, where the TACACS+ server is running. The [port
integer] can be used to specify a new port number. The [key string] sets
the secret key for this TACACS+ server host overriding the default but
should follow same creation rules as the default.
§ tacacs-server key string command sets the default TACACS+
shared encryption key. The shared secret key should be at least 16
characters long and follow the other rules for a good password as
described in Section 4.1.4.
For a complete list of TACACS+ router configuration commands see the "TACACS,
Extended TACACS, and TACACS+ Commands" section in the "Security
Command Reference". Simple example for Central:
Central(config)# tacacs-server host 14.2.6.18
Central(config)# tacacs-server key W@t7a8y-2m@K3aKy
TACACS+ implementations are available through Cisco Secure ACS and Cisco also
offers a free implementation as well. TACACS+ uses attribute-value pairs for
controlling authentication and authorization services. These attribute-value pairs are
configured on the server and used by the router authorization mechanism to control
access to network services. For more details on the TACACS+ and attribute-value
pairs see the Security Configuration Guide sections "Configuring TACACS+" and
"TACACS+ Attribute-Value Pairs".