AAA configuration using TACACS+ (Cisco IOS and HP Procurve)

Basic configuration in IOS

aaa new-model
tacacs-server host 192.168.1.1 timeout 10 key sup36s3c63t
tacacs-server directed-request
aaa authentication login default group tacacs+ local enable
aaa authentication login SSH group tacacs+
aaa authentication login CONSOLE local
aaa authentication enable default group tacacs+ enable none
aaa authorization exec default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

line con 0
login authentication CONSOLE

line vty 0 4
login authentication SSH

Basic configuration in HP Procurve (as version WB.15.12.0010)
HP-2920-24G-PoEP(config)tacacs-server host 192.168.1.1 key sup36s3c63t
HP-2920-24G-PoEP(config)aaa authentication console login tacacs local
HP-2920-24G-PoEP(config)aaa authentication console enable tacacs local
HP-2920-24G-PoEP(config)aaa authentication ssh login tacacs local
HP-2920-24G-PoEP(config)aaa authentication ssh enable tacacs local

Tested using this TACACS+ config
Explanation for Cisco AAA Configuration
Explanation for HP Procurve AAA Configuration

Incoming search terms:

  • aaa-server TACACS timeout asa show config
  • aaa authentication login default local
  • configurar tacacs en 4500
  • HP IMC Server tacacs cisco ios authorization failed ssh
  • procurve 6120 tacacs configuration
  • procurve tacacs
  • ssh cisco router from tacacs
  • Tacacs_warrior

    Hi,

    In this case, I want to allow to edit interface GigabitEthernet2/0/10 but not interface GigabitEthernet2/0/11. But it doesn’t works.

    How can I resolve this issue?

    Here is my tacacs config file:

    user = oper {
    default service = deny
    login = cleartext test1
    service = exec {
    priv-lvl = 15
    }
    cmd = configure {
    permit terminal
    }
    cmd = interface {
    permit “interface GigabitEthernet2/0/10″
    deny “interface GigabitEthernet2/0/11″
    }
    }

    Thank you very much in advance for your answer.
    Best Regards,

    Vincent

  • jc walser

    Practical discussion . For what it’s worth , if anyone needs a WI WB-15
    , my company edited a blank document here “http://goo.gl/kxQWKl”.

  • GITESH A NAKANEKAR

    After completing above config on HP switch, when logged in.. I need to enter username and password twice to come to # prompt. Why is it so and what needs to be done to fix this.