-
Notifications
You must be signed in to change notification settings - Fork 25
TACACS_PLUS over IPSec
Marc Huber edited this page Feb 17, 2024
·
1 revision
As TACACS+-over-TLS is still not ready, TACACS+-over-IPSec might be worth to consider. It may or may not be supported on your Network Access Device.
Strictly spoken, this isn't a TACACS+ feature, but just a matter of building a tunnel between your NAD and your server. For IOS-XE, you could just follow the Cisco Configure ISE 3.3 Native IPSec to Secure NAD (IOS-XE) Communication docs and complement it with, for example, a suitable strongSwan /etc/swanctl/conf.d/your-switch-name.conf:
connections {
switch-1 {
local_addrs = 10.48.23.85
remote_addrs = 10.62.148.79
local {
auth = psk
id = 10.48.23.85
}
remote {
auth = psk
id = 10.62.148.79
}
children {
net-net {
local_ts = 10.48.23.85/32
remote_ts = 10.62.148.79/32
esp_proposals = aes256-sha512-modp4096
}
}
version = 2
mobike = no
proposals = aes256-sha512-modp4096
}
}
secrets {
ike-1 {
id-1 = 10.62.148.79
secret = cisco123
}
}
(This may or may not work for you, I've tested this with differing IP addresses, but the Linux side of configuration looked obvious enough.)
Please don't ask me for guidance on configuring strongSwan. I'd have to lookup that, and I'm just not going to.