Configure routers to use ACS
You can use either Cisco Configuration Professional (CCP) or CLI to configure a router to use Cisco ACS for AAA. Here are the steps to configure a router to use ACS using the command line:
1. enable AAA using the aaa new-model global configuration command.
2. instruct the router to use AAA authentication for terminal logins using the aaa authentication login default group tacacs+ local command. This command specifies two authentication methods that will be used by the router: the tacacs+ keyword specifies that the ACS server will be used as the first authentication method, and the local keyword specifies that the locally defined user accounts will be used for authentication if the ACS server is not available.
3. to allow users to enter the enable mode, use the aaa authorization exec default group tacacs+ local command.
4. configure a TACACS+ server that the router will use with the tacacs-server host IP_ADDRESS key PASSWORD command.
5. enforce AAA authentication and authorization on the vty lines using the authorization exec default and login authentication default commands.
Here is our example configuration:
We can now try to access our router and log in using with a user that was created on our ACS server:
As you can see from the picture above, we’ve successfully logged in using the user Administrator that was defined on the ACS server.