Tacacs on Cisco SG Switches

By | 07/09/2019

Although not my first choice in switches, the Cisco SG range of small business switches are a reliable, cost effective choice if you need easy to manage devices. Unfortunately some of the more advanced features such as Tacacs & Radius are easier to configure from the CLI than the GUI. To some the CLI is a terrifying place but network engineers and alike it is a faster more efficient way of configuring hardware. The below config was used on a bunch of Cisco SG300-28P switches and a couple of Cisco SG500 switches. The tacacs server is a TacacsGUI (https://tacacsgui.com/) instance hosted in a virtual environment although the config should work for most Tacacs implementations. Your mileage may vary.

First, I highly recommend making sure the time on your devices is correct (or at least the same as your Tacacs instance) If your timezone is GMT the following config will work:

clock timezone GMT 0 minutes 0
clock summer-time web recurring eu
clock source sntp
sntp unicast client enable
sntp server <your choice on NTP provider>

Next, we need to add the AAA configuration, this tells the device to use tacacs as the primary login type followed by local login, I have specified SSH and HTTPS to use Tacacs then local but left Console as local (personal preference) You could, but shouldn’t, use Telnet and HTTP as well.

ip http authentication aaa login-authentication https tacacs local
aaa authentication login authorization SSH tacacs local
aaa authentication enable authorization SSH tacacs enable
aaa authentication login Console local
aaa authentication enable Console enable
aaa accounting login start-stop group tacacs+
line ssh
login authentication SSH
enable authentication SSH

Finally we need to configure the details for the Tacacs server, this includes the IP or hostname and the Key used to authenticate the device (this should not be the only method of authenticating devices, ideally you should specify devices by their IP address and have some sort of access-list in front of the Tacacs box.

tacacs-server host <IP or Host> single-connection timeout 15 key <tacacs key> priority 1

This should give you basic login access using Tacacs for central authentication. You can also add lines in the AAA config to specify privilege levels such as 1, 7 or 15 as long as your Tacacs server has these configured too. You could add custom levels to give certain users access to specific commands or sets of commands too.

As I mentioned before, your mileage may vary on this but the config is the basic set of commands required for Tac config.

Leave a Reply