- 25 Jan 2024
- 7 Minutes to read
- Contributors
- Print
- PDF
Using a TACACS+ Server for Authentication
- Updated on 25 Jan 2024
- 7 Minutes to read
- Contributors
- Print
- PDF
You can use a TACACS+ server for authenticating users. When TACACS+ authentication is enabled, the unit supports Authentication and Authorization as configured on the TACACS+ server. A TACACS+ server can be useful if you want to centrally manage user accounts instead of managing them on each unit individually. The unit can be configured to connect to a second TACACS+ server, allowing for TACACS+ server redundancy.
To configure TACACS+ session parameters
Access the page System ▶Session ▶TACACS+.
Complete the required fields, then click Apply.
For more information on specific parameters, refer to the following table.
TACACS+ Configuration (System ▶Session ▶TACACS+)
General
Parameter | Description |
---|---|
Authentication Method | The authentication method to be used by the TACACS+ server. The only option available is: PAP: Password Authentication Protocol. |
TACACS+ Timeout | The lapse of time that the TACACS+ client will wait before retrying the connection expressed in seconds. After the specified number of retries has been exhausted, a connection to the next configured server will be attempted, for which the same timeout and retry scheme apply. |
TACACS+ Retries | The number of times to retry the server before attempting to |
connect to the next configured TACACS+ server. | |
TACACS+ Service Name | The name of the service to pass to TACACS+ for authorization. The default value is shell. Note: This field is displayed only if the Show Advanced Settings box is checked. |
TACACS+ Privilege Level Attribute | The attribute to extract from the authorization response in order to determine the privilege level of the user requesting authentication. The default value is priv-lvl. Note: This field is displayed only if the Show Advanced Settings box is checked. |
Server-1 / Server-2
Parameter | Description |
---|---|
Host | The TACACS+ server's host-name or IP address. Note: To disable this server, enter 0.0.0.0 or :: as the address. |
Port | The TCP port on the TACACS+ server to which you connect. |
Secret | The shared secret for this TACACS+ server. Maximum length is 64 characters. |
Show Secret | Enable this box to display the shared secret for this TACACS+ server in plain text. |
Source Address | The optional bind address associated with this TACACS+ client. Note: This parameter is only used when the TACACS+ server validates the address of the unit. |
TACACS+ Server Configuration Examples
The following examples are configurations for the TACACS+ server, not for the unit. They apply to a tac_plus server; configuration values may differ for other servers.
Logging in is a two-part process. First, the user is authenticated. Once authenticated, the user may be authorized to gain rights on the system. The server should return AV (attribute-value) pairs for the requested service name.
The first attribute, the privilege level (usually priv-lvl), is evaluated first. This attribute is a numerical value that should be between 0 and 15. On this system, an attribute value of 15 grants Admin rights (All-show, All-Add, All-edit), and all other attribute values grant Viewer rights (All-show). If the specified attribute value is not found, the login attempt is refused because the AV pair was not supplied by the server.
The second attribute, the privilege list (accedian-priv-list), is subsequently evaluated. This attribute is an optional attribute and is ignored if the privilege level is already set to 15 (Admin). The purpose of this attribute is to provide a fine-grained permissions mechanism. The permissions are the same as those that can be configured locally on the unit. The list of tokens is separated by commas. The case-sensitive tokens you indicate can be a mix of locally-defined user permission groups and individual privileges.
Note: You cannot view TACACS+ assigned permissions with the CLI or Webbased interface.
Following are configuration examples for the TACACS+ Server using these attributes.
To assign a user to the built-in Admin group
user = tacadmin {
login = cleartext tacadmin
pap = cleartext tacadmin
name = "Test Admin"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 15
}
}
To assign a user viewer-only privileges
user = tacviewer {
login = cleartext tacviewer
pap = cleartext tacviewer
name = "Test Tac Viewer"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 1
}
}
To assign a user a customized set of privileges and sub-privileges
user = taccfm {
login = cleartext taccfm
pap = cleartext taccfm
name = "Test Tac User CFM"
service = exec {
priv-lvl = 1
accedian-priv-lvl = 7
accedian-priv-list = Config, Config-not rollback
}s
ervice = accedian {
priv-lvl = 1
accedian-priv-list = Config, Config-not-rollback
}
}
If a user is authenticated by TACACS+ but no attributes are specified in the server configuration, the permissions will be set as follows:
- If the username exists locally: Local permissions, as configured on the unit
- If the username does not exist locally: Viewer-only permissions
Managing Access Control Lists
You may use an Access Control List (ACL), which is a network access control mechanism, to prevent or allow specific MAC or IP addresses to access the unit for management purposes.
You can create up to 10 lists and each list can contain up to 40 rules. Each rule allows or blocks addresses. Rules are prioritized using the Priority field, with the rule configured with the highest priority applied first.
It is recommended to set the priorities so the most restrictive rules are performed first. For example, a high-priority rule could grant access to a specific IP address within a subnet, and the next rule could deny access to the whole subnet, thus blocking all remaining IP addresses from that subnet. Another example would be to first deny access to subnet 10.10.10.0/26, then allow access to subnet 10.10.0.0/16.
Note: Once all rules have executed, all remaining frames are dropped (this is the default rule). You must therefore ensure the addresses you want to allow are accepted by at least one rule of the ACL.
Once the ACL is created, you can then assign it to one or more interfaces. On each interface you can also select the type of protocol (CLI [SSH and Telnet], WEB, SNMP and NETCONF) to which the ACL applies. Refer to the section Configuring Logical Interfaces on page 22.
CAUTION: If you assign a rule to an interface, you or another user may lose access to the unit.
Setting Up an ACL
To set up an ACL
Access the page System ▶ACL.
A summary of all lists that have been configured is displayed. For more information on specific parameters, refer to the table at the end of this procedure.Click Add to add a new ACL, or click the Name of an existing ACL to edit its settings.
Complete the required fields, then click Apply.
For more information on specific parameters, refer to the following table.
ACL Definition Summary (System ▶ACL)
Parameter | Description |
---|---|
Name | The name of the ACL list. |
State | The state of the list:
|
Interface List | Names of the interfaces using this list. Clicking on an interface name will open the ACL statistics, showing the number of packets hit, on a per-rule basis, for this specific interface. |
ACL Definition
Parameter | Description |
---|---|
Type | The type of ACL list:
|
Value | The source addresses (IP or MAC) to filter. IP addresses can be entered using a subnet mask. If the Type is ipsrc:
|
Action | The filter action to take:
|
Name | The name of the rule. |
Priority | The priority of the rule. Range: 1–255 (1 is the highest priority) |
State | Enable or disable the rule. |
Packets | The number of packets that have been intercepted by the rule:
|
Deleting an ACL
To delete an ACL
Access the page System ▶ACL.
Click the ACL Name to delete.
Click Delete.
Viewing ACL Statistics
To view ACL statistics for each interface
Access the page System ▶ACL.
Click the name of the interface in the Interface List.
A count of Packets for each ACL rule defined is displayed. The Default Dropped Packets statistic (i.e. associated with the default rule) is displayed at the top of the page.
For more information on specific parameters, refer to the table "ACL Definition Summary ( System ▶ACL)".To clear the statistics, click the Clear button.
To update the statistics, click the Refresh button.
© 2024 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks