10.10.10.10 - Tacacs+ AAA server
20.20.20.2 - Loopback IP
Juniper:
system {
host-name JUNIPER-ROUTER1;
}
authentication-order [ tacplus password ];
root-authentication {
encrypted-password "$r00tp44sw0rdh3r3/1"; ## SECRET-DATA
}
tacplus-server {
10.10.10.10 {
secret "$4ut0g3n3r4t3t4c4c5p455w0rd1"; ## SECRET-DATA
single-connection;
source-address 20.20.20.2;
}
}
accounting {
events interactive-commands;
destination {
tacplus {
server {
10.10.10.10 {
secret "$4ut0g3n3r4t3t4c4c5p455w0rd2"; ## SECRET-DATA
single-connection;
source-address 20.20.20.2;
}
}
firewall {
family inet {
filter FIREWALL-RE {
/* TRUSTED TACACS */
term TACACS-ACL {
from {
source-address {
10.10.10.10/32;
}
protocol tcp;
port tacacs;
}
then {
count TACACS-ACL;
accept;
}
}
In set format:
set system host-name JUNIPER-ROUTER1
set system authentication-order tacplus
set system authentication-order password
set system root-authentication encrypted-password "$r00tp44sw0rdh3r3/1"
set system tacplus-server 10.10.10.10 secret "$4ut0g3n3r4t3t4c4c5p455w0rd1"
set system tacplus-server 10.10.10.10 single-connection
set system tacplus-server 10.10.10.10 source-address 20.20.20.2
set system accounting destination tacplus server 10.10.10.10 secret "$4ut0g3n3r4t3t4c4c5p455w0rd2"
set system accounting destination tacplus server 10.10.10.10 single-connection
set system accounting destination tacplus server 10.10.10.10 source-address 20.20.20.2
set firewall family inet filter FIREWALL-RE term TACACS-ACL from source-address 10.10.10.10/32
set firewall family inet filter FIREWALL-RE term TACACS-ACL from source-address 20.20.20.2/32
set firewall family inet filter FIREWALL-RE term TACACS-ACL from protocol tcp
set firewall family inet filter FIREWALL-RE term TACACS-ACL from port tacacs
set firewall family inet filter FIREWALL-RE term TACACS-ACL then count TACACS-ACL
set firewall family inet filter FIREWALL-RE term TACACS-ACL then accept
Cisco:
IOS:aaa authentication login VTY group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host 10.10.10.10 single-connection
tacacs-server key 7 1234567890
ip tacacs source-interface Loopback0
IOS-XE:
aaa authentication login VTY group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization commands 1 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs server TACACS-SERVER
address ipv4 10.10.10.10
key 7 1234567890
ip tacacs source-interface Loopback0
NEXUS OS
aaa authentication login default group tacacs
aaa authentication login console group tacacs
aaa authorization config-commands default group tacacs local
aaa authorization commands default group tacacs local
aaa accounting default group tacacs
tacacs+ distribute
ip tacacs source-interface mgmt0
tacacs-server host 10.10.10.10 key 7 "tacacs_pass"
aaa group server tacacs+ tacacs
server 10.10.10.10
IOS-XR
aaa accounting exec VTY start-stop group tacacs+
aaa accounting commands VTY start-stop group tacacs+
aaa authorization exec VTY group tacacs+ none
aaa authorization commands VTY group tacacs+ none
aaa authentication login VTY group tacacs+ line local
tacacs source-interface Loopback0 vrf default
tacacs-server host 10.10.10.10 port 49
key 7 1234567890123456789
No comments:
Post a Comment