In this lesson, we will learn to configure TACACS server for AAA authentication in Cisco IOS XR software. We will be using release 7.0.x for this tutorial. So, let’s get started.
Here important to note that, AAA is available by default as a part of the base software package in Cisco IOS-XR.
Configure of TACACS+ on Cisco IOS XR
We are using out-of-band management using interface MgmtEth0/RSP0/CPU0/0 in our 9K box. So, very first command will be to declare management interface MgmtEth0/RSP0/CPU0/0 as a source interface with our management VRF.
RP/0/RSP0/CPU0:LetsConfig(config)#tacacs source-interface MgmtEth0/RSP0/CPU0/0 vrf MGMT
In the next section, we will add our tacacs server. Before adding it’s recommended to make sure we have reachability to TACACS server using 49 port (default tacacs port). If you are using any other port, then need to make sure it’s allowed on the network.
RP/0/RSP0/CPU0:LetsConfig(config)#aaa group server tacacs+ AAAlogin RP/0/RSP0/CPU0:LetsConfig(config-sg-tacacs)#server-private 10.10.10.10 port 49 RP/0/RSP0/CPU0:LetsConfig(config-sg-tacacs)# vrf MGMT
Here, we are using “server-private” which allow to add seperate TACACS server for each VRF.
Now, we will tell our device to authenticate TACACS server first and then others. Here, if TACACS server fails, then it will allow local credentials.
RP/0/RSP0/CPU0:LetsConfig(config)#aaa authentication login default group AAAlogin local
We also can add authorization and accounting configuration just like below-
aaa authorization commands default group AAAlogin none aaa accounting exec default start-stop group AAAlogin aaa accounting system default start-stop group AAAlogin aaa accounting commands default start-stop group AAAlogin
Next part will be to commit the configuration. However, if you made any mistake in the configuration, then you will loss your connection to the device. So, it’s always recommended to take advantage of “commit confirmed” command, which will force running configuration to rollback automatically after a certain time.
RP/0/RSP0/CPU0:LetsConfig(config)#commit confirmed minutes 5
Here we are using 5 minutes, which is enough to commit if everything works fine. Finally, commit the configuration using “commit” command.
RP/0/RSP0/CPU0:LetsConfig(config)#commit
You can use Cisco Configuration Guide as reference.
Informative