This is a general ROUTER config set up with tacacs+/ace authentication and accounting. Authentication is based on the ace values unless communication is blocked. If this happens, the authentication will fall back to the local machine values. Comments relevant to the authentication and accounting are headed by !% To enable tacacs+ authentication for enable mode access, add the following line to the top of the config: aaa authentication enable default tacacs+ enable ------------------------------------------------------------------------------ version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname hostname-01 ! ! initialize the aaa instance aaa new-model !% !% create an login authentication type called secureid which will !% look at tacacs+ first (to ace1 and ace2 below), then via the !% normal internal password if connection fails. !% aaa authentication login secureid tacacs+ line !% !% same idea as above, but on connect failure, require the enable !% password instead. more useful for console filtering. !% aaa authentication login secureid2 tacacs+ enable !% !% create a set of accounting rules which will keep track of !% enable level commands issued, and logon/logoff !% aaa accounting exec default start-stop tacacs+ aaa accounting commands 15 default start-stop tacacs+ aaa accounting network default start-stop tacacs+ aaa accounting system default start-stop tacacs+ enable secret 5 $1$vTdX$pZxxxxxxxxxxxxxxxxxxxxxxx enable password enablepass ! ip subnet-zero no ip source-route !% identify the auth servers ip host ace2 192.168.180.1 ip host ace1 192.168.160.1 ! ! ! ! interface FastEthernet0/0 ip address 10.10.40.2 255.255.255.0 no ip directed-broadcast full-duplex ! interface Serial0/0 ip address 192.168.13.2 255.255.255.0 no ip directed-broadcast no ip mroute-cache no fair-queue service-module t1 remote-alarm-enable ! interface FastEthernet0/1 no ip address no ip directed-broadcast shutdown ! ip classless ip route 10.10.0.0 255.255.0.0 10.10.40.1 ip route 10.10.10.0 255.255.255.0 10.10.40.1 ip route 10.10.30.0 255.255.255.0 10.10.40.1 ip route 192.168.0.0 255.255.0.0 192.168.13.1 no ip http server !% !% here we are identifying the auth servers in order of !% primry and secondary. order is quite important. !% the key value *must* be the same as defined in the file !% /var/ace/ace/data/sdtacplus.cfg and the encryption key value !% defined in the individual client account. !% tacacs-server host ace1 tacacs-server host ace2 tacacs-server key abc123 ! line con 0 transport input none !% !% this is where console connection authentication is defined !% login authentication secureid2 line aux 0 line vty 0 4 exec-timeout 0 0 password loginpass !% !% this is where the telnet connection authentication is defined !% login authentication secureid ! no scheduler allocate end