Using TACACS+ Authentication
- 06 Jul 2022
- 4 Minutes to read
- Contributors
- Print
- DarkLight
- PDF
Using TACACS+ Authentication
- Updated on 06 Jul 2022
- 4 Minutes to read
- Contributors
- Print
- DarkLight
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
You can use a TACACS+ server to authenticate users. When TACACS+ authentication is enabled, the Skylight sensor: control supports Authentication and Authorization as configured on the TACACS+ server. A TACACS+ server can be useful if you want to centrally manage user accounts instead of managing them separately on each sensor: control. A sensor: control can be configured to connect to a second TACACS+ server, allowing for TACACS+ server redundancy.
Configuring TACACS+ Session Parameters
▶ To configure TACACS+ session parameters
Access the page System ▶ Session ▶ TACACS+.
The TACACS+ Configuration form displays.
Complete the required fields, then click Apply.
For information, see TACACS+ Configuration Parameters.
TACACS+ Configuration Parameters
This section describes the TACACS+ Configuration form parameters.
General
| Parameter | Description |
|---|---|
| Authentication Method | Authentication method to be used by the TACACS+ server. Available options:
|
| TACACS+ Timeout | Lapse of time that the TACACS+ client will wait before retrying the connection, expressed in seconds. After the specified number of retries has been exhausted, a connection to the next configured server will be attempted, for which the same timeout and retry scheme applies. |
| TACACS+ Retries | Number of times to retry the server before attempting to connect to the next configured TACACS+ server. |
| Show Advanced Settings | Select to display the TACACS+ Service Name and TACACS+ Privilege Level Attribute parameters. |
| TACACS+ Service Name | Name of the service to pass to TACACS+ for authorization. Appears when you select Show Advanced Settings. Default value: shell |
| TACACS+ Privilege Level Attribute | Attribute to extract from the authorization response to determine the privilege level of the user requesting authentication. Appears when you select Show Advanced Settings. Default value: priv-lvl |
Server-1 / Server-2
| Parameter | Description |
|---|---|
| Host | TACACS+ server's host-name or IP address. Note: To disable this server, enter 0.0.0.0 or :: as the address. |
| Port | TCP port on the TACACS+ server to connect to. |
| Secret | Shared secret for this TACACS+ server. Maximum length: 64 characters |
| Show Secret | Select to display the shared secret for this TACACS+ server in plain text. |
| Source Address | Optional bind address associated with this TACACS+ client. Note: This parameter is only used when the TACACS+ server validates the address of the Skylight sensor: control. |
TACACS+ Server Configuration Examples
The following examples are configurations for the TACACS+ server, not for the Skylight sensor: control. They can be applied to a tac_plus server; configuration values may differ for other servers.
Logging in is a two-part process. First, the user is authenticated. Once authenticated, the user may be authorized to gain rights on the system. The server should return AV (attribute-value) pairs for the requested service name.
The first attribute, the privilege level (usually priv-lvl), is evaluated first. This attribute is a numerical value that should be between 0 and 15. On this system, an attribute value of 15 grants Admin rights (All-show, All-Add, All-edit), and all other attribute values grant Viewer rights (All-show). If the specified attribute value is not found, the login attempt is refused because the AV pair was not supplied by the server.
The second attribute, the privilege list (accedian-priv-list), is subsequently evaluated. This attribute is an optional attribute, and is ignored if the privilege level is already set to 15 (Admin). The purpose of this attribute is to provide a fine-grained permissions mechanism. The permissions are the same as those that can be configured locally on the Skylight sensor: control. The list of tokens is separated by commas. The case-sensitive tokens you indicate can be a mix of locally-defined user permission groups and individual privileges.
Note: You cannot view TACACS+ assigned permissions with the CLI or Webbased interface.
Following are configuration examples for the TACACS+ Server using these attributes.
▶ To assign a user to the built-in Admin group
user = tacadmin {
login = cleartext tacadmin
pap = cleartext tacadmin
name = "Test Admin"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 15
}
}
▶ To assign a user viewer-only privileges
user = tacviewer {
login = cleartext tacviewer
pap = cleartext tacviewer
name = "Test Tac Viewer"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 1
}
}
▶ To assign a user a customized set of privileges
user = taccfm {
login = cleartext taccfm
pap = cleartext taccfm
name = "Test Tac User CFM"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 1
accedian-priv-list = CFM,PAA
}
}
If a user is authenticated by TACACS+, but no attributes are specified in the server configuration, the permissions will be set as follows:
- If the username exists locally: Local permissions, as configured on the Skylight sensor: control
- If the username does not exist locally: Viewer-only permissions
© 2024 Accedian Networks Inc. All rights reserved. Accedian®, Accedian Networks®, the Accedian logo™, Skylight™, Skylight Interceptor™ and per-packet intel™, are trademarks or registered trademarks of Accedian Networks Inc. To view a list of Accedian trademarks visit: http://accedian.com/legal/trademarks/.
Was this article helpful?
