How to use Tacacs+ on Cisco ASA for Shell and Web Authentication
Assume the Tacacs+ Servers are:
| Cisco ACS Server 1 | 10.120.10.11 |
| Cisco ACS Server 2 | 10.120.10.12 |
aaa-server AAA-TACACS+ protocol tacacs+ ! aaa-server AAA-TACACS+ (Management) host 10.120.10.11 key YYYYXXXYYY ! aaa-server AAA-TACACS+ (Management) host 10.120.10.12 key YYYYXXXYYY ! ! Delete the old local only configuration no aaa authentication http console LOCAL no aaa authentication ssh console LOCAL ! aaa authentication http console AAA-TACACS+ LOCAL aaa authentication ssh console AAA-TACACS+ LOCAL aaa authentication enable console AAA-TACACS+ LOCAL aaa authorization command AAA-TACACS+ LOCAL !
If you have allready configured aaa for the ssh you might see something like
asa1(config)# aaa authentication ssh console AAA-TACACS+ LOCAL
Range already exists.
Then you must first disable the aaa authentication and than add the new settings.
no aaa authentication ssh console LOCAL
aaa authentication ssh console AAA-TACACS+ LOCAL
If you feel this helps a bit or may be not ? Please leave a comment.
Patrick Marc's Networks 