Monitoring & Securing your Cisco devices with Syslog & TACACS + Server – Basics

While deploying logging and authentication solution for a company, I came across a very interesting technology called TACACS + and Syslog. Though I have worked with Syslog previously but TACACS was a new protocol for me. Now, why suddenly someone would deploy these two protocols and also at the same time? Yes… you guessed it right – SECURITY was the main reason behind the deployment of these two.

First of all TACACS is an Authentication, Authorization and Accounting (AAA) server used for centralised authentication of users for device management unlike RADIUS servers used mainly for user authentication for wire and wireless network access.

Coming to the syslog portion, I can definitely say that all network admins must implement syslog server for better monitoring of their devices and take immediate action on any emergency incident. You won’t believe what I found after I enabled syslog for one of our cisco switch – NUMEROUS BRUTE-FORCE ATTACKS !!! Those attacks generated mainly from China and Hong Kong based IP Address. We all know that there are 7 types of facility. A facility is used to specify what type of program is logging the message. This lets the configuration file specify that messages from different facilities will be handled differently. The list of facilities available are:

Value Severity Keyword Description / Examples
0 Emergency emerg Multiple apps/servers/sites. This level should not be used by applications.
1 Alert alert Should be corrected immediately, An example might be the loss of the primary ISP connection.
2 Critical crit May be used to indicate a failure in the system’s primary application.
3 Error err An application has exceeded it file storage limit and attempts to write are failing.
4 Warning warning May indicate that an error will occur if action is not taken, For example a non-root file system has only 2GB remaining .
5 Notice notice Events that are unusual but not error conditions .
6 Informational info Normal operational messages -no action required. Example an application has started, paused or ended successfully.
7 Debugging debug Info useful to developers for debugging the application.

Now, if you want to know more about about these protocols just Google it and you will find a whole lot of resources.

Tools Required:

1) Kiwi Syslog Server (Trial/License required)
2) TACACS + Server (Free)
3) GNS3 Server with 7200 IOS (just for lab)

Steps for enabling syslog for level 7 in Cisco 7200 router:

conf t 
no logging console
logging facility local7
logging trap 7
logging userinfo
login on-failure log
login on-success log

The above code snippet is quite self explanatory:
1) We mention the syslog server IP.
2) We disable displaying logging messages on console as it looks cluttered.
3) We enable logging for facility  7 (all syslog messages).
4) We enable trap for level7 (all traps).
5) We track user login information (important for tracking user login actions).

Additional commands to keep track of configuration changes by your employees:

conf t 
log config
logging enable
notify syslog

Well done! Let’s look at the output.


Steps for enabling TACACS + Authentication in Cisco 7200 router:

1) Install Tacacs + Server as usual accepting license agreements and all,
2) When asked for password, give a password. [ex: cisco] This will be used for connecting clients to Tacacs + Server.
3) Click finish.
4) From run -> services.msc. Scroll down to Tacacs + service. It must be in started mode. If not, manually start it.
5) Then from start menu -> -> Configuration. All the files related to Tacacs + configuration will be shown.
6) Right click on Tacplus.xml and select properties. Uncheck the “Read-Only” option. Click Apply -> Ok.
7) If you want to enable syslog server logging for Tacacs + then open tacplus.xml. Remove the comment mark <!–and –> from the line saying Syslog Host=”… and in host put IP of the Syslog Server.
Also, change <LocalIP> to your NIC’s IP as the Tacacs + Server will run on this interface. If you keep then the router will not be able to authenticate with Tacacs + Server.
8) Now add a user in the authentication.xml file. Open authentication.xml and remove comments from User group and give desired username and password. Remember these users created exists only in the Tacacs Plus server.
79) In the mean while you can see syslog messages appear in your syslog server console which indicates correct syslog configuration.

10) Now on our routers we issue the following commands.

config t
interface fa0/0
ip address
no shut
line vty 0 4
transport input ssh
enable secret cisco
username john password 0 john
username kim password 0 kim
ip domain name
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ local
tacacs server demo_tac
address ipv4
key 0 cisco

11) Let me give you a brief explanation of what I did in the previous step.

  • Configured IP address for a interface fa0/0
  • We disabled telnet and enabled only SSH for vty 0 4 for security reasons.
  • We gave an enable password which will be used in case our Tacacs + Server is not accessible.
  • We created two local backup users for emergency access.
  • Assigned a domain name to our router. [Optional]
  • Configured router aaa to allow only new aaa commands and disable old ones.
  • For login authentication we gave first preference to Tacacs + Sever and second preference to local users.
  • For enable authentication  we gave first preference to Tacacs + Sever and second preference to enable password entered previously.
  • For authorization in executable mode we gave first preference to Tacacs + Server and second preference to local users.
  • We configured Tacacs + server and assigned IP address of our Tacacs + Server and gave key to authenticate with it.

12) Now let’s verify our configurations. [If you are trying this in your GNS3 lab disable windows firewall or you will not be able to authenticate.]

Scenario 1 – Authentication with Tacacs+ Sever enabled with Tacacs + Users.
Scenario 2 – Authentication with Tacacs+ Sever enabled with router’s local Users.
Scenario 3 – Authentication with Tacacs+ Sever disabled with Tacacs + Users.
Scenario 4 – Authentication with Tacacs+ Sever disabled with router’s local Users.

That’s it. We have now successfully configured TACACS + Server authentication along with Syslog Logging.

If you are interested to know more about authentication commands and their uses Cisco has a great article on it here.

Enjoyed this post? Share it!