Using a TACACS+ Server for Authentication
  • 25 Jan 2024
  • 7 Minutes to read
  • Contributors
  • PDF

Using a TACACS+ Server for Authentication

  • PDF

Article summary

You can use a TACACS+ server for authenticating users. When TACACS+ authentication is enabled, the unit supports Authentication and Authorization as configured on the TACACS+ server. A TACACS+ server can be useful if you want to centrally manage user accounts instead of managing them on each unit individually. The unit can be configured to connect to a second TACACS+ server, allowing for TACACS+ server redundancy.

To configure TACACS+ session parameters

  1. Access the page System ▶Session ▶TACACS+.

  2. Complete the required fields, then click Apply.

For more information on specific parameters, refer to the following table.

TACACS+ Configuration (System ▶Session ▶TACACS+)
General

ParameterDescription
Authentication MethodThe authentication method to be used by the TACACS+ server.

The only option available is:

PAP: Password Authentication Protocol.

TACACS+ TimeoutThe lapse of time that the TACACS+ client will wait before retrying the connection expressed in seconds.

After the specified number of retries has been exhausted, a connection to the next configured server will be attempted, for which the same timeout and retry scheme apply.

TACACS+ RetriesThe number of times to retry the server before attempting to
connect to the next configured TACACS+ server.
TACACS+ Service NameThe name of the service to pass to TACACS+ for authorization. The default value is shell.

Note: This field is displayed only if the Show Advanced Settings box is checked.

TACACS+ Privilege Level AttributeThe attribute to extract from the authorization response in order to determine the privilege level of the user requesting authentication.

The default value is priv-lvl.

Note: This field is displayed only if the Show Advanced Settings box is checked.

Server-1 / Server-2

ParameterDescription
HostThe TACACS+ server's host-name or IP address.

Note: To disable this server, enter 0.0.0.0 or :: as the address.

PortThe TCP port on the TACACS+ server to which you connect.
SecretThe shared secret for this TACACS+ server.

Maximum length is 64 characters.

Show SecretEnable this box to display the shared secret for this TACACS+ server in plain text.
Source AddressThe optional bind address associated with this TACACS+ client.

Note: This parameter is only used when the TACACS+ server validates the address of the unit.

TACACS+ Server Configuration Examples

The following examples are configurations for the TACACS+ server, not for the unit. They apply to a tac_plus server; configuration values may differ for other servers.

Logging in is a two-part process. First, the user is authenticated. Once authenticated, the user may be authorized to gain rights on the system. The server should return AV (attribute-value) pairs for the requested service name.

The first attribute, the privilege level (usually priv-lvl), is evaluated first. This attribute is a numerical value that should be between 0 and 15. On this system, an attribute value of 15 grants Admin rights (All-show, All-Add, All-edit), and all other attribute values grant Viewer rights (All-show). If the specified attribute value is not found, the login attempt is refused because the AV pair was not supplied by the server.

The second attribute, the privilege list (accedian-priv-list), is subsequently evaluated. This attribute is an optional attribute and is ignored if the privilege level is already set to 15 (Admin). The purpose of this attribute is to provide a fine-grained permissions mechanism. The permissions are the same as those that can be configured locally on the unit. The list of tokens is separated by commas. The case-sensitive tokens you indicate can be a mix of locally-defined user permission groups and individual privileges.


Note: You cannot view TACACS+ assigned permissions with the CLI or Webbased interface.

Following are configuration examples for the TACACS+ Server using these attributes.

To assign a user to the built-in Admin group
user = tacadmin {
login = cleartext tacadmin
pap = cleartext tacadmin
name = "Test Admin"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 15
}
}

To assign a user viewer-only privileges
user = tacviewer {
login = cleartext tacviewer
pap = cleartext tacviewer
name = "Test Tac Viewer"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 1
}
}

To assign a user a customized set of privileges and sub-privileges
user = taccfm {
login = cleartext taccfm
pap = cleartext taccfm
name = "Test Tac User CFM"
service = exec {
priv-lvl = 1
accedian-priv-lvl = 7
accedian-priv-list = Config, Config-not rollback
}s
ervice = accedian {
priv-lvl = 1
accedian-priv-list = Config, Config-not-rollback
}
}

If a user is authenticated by TACACS+ but no attributes are specified in the server configuration, the permissions will be set as follows:

  • If the username exists locally: Local permissions, as configured on the unit
  • If the username does not exist locally: Viewer-only permissions

Managing Access Control Lists

You may use an Access Control List (ACL), which is a network access control mechanism, to prevent or allow specific MAC or IP addresses to access the unit for management purposes.

You can create up to 10 lists and each list can contain up to 40 rules. Each rule allows or blocks addresses. Rules are prioritized using the Priority field, with the rule configured with the highest priority applied first.

It is recommended to set the priorities so the most restrictive rules are performed first. For example, a high-priority rule could grant access to a specific IP address within a subnet, and the next rule could deny access to the whole subnet, thus blocking all remaining IP addresses from that subnet. Another example would be to first deny access to subnet 10.10.10.0/26, then allow access to subnet 10.10.0.0/16.


Note: Once all rules have executed, all remaining frames are dropped (this is the default rule). You must therefore ensure the addresses you want to allow are accepted by at least one rule of the ACL.

Once the ACL is created, you can then assign it to one or more interfaces. On each interface you can also select the type of protocol (CLI [SSH and Telnet], WEB, SNMP and NETCONF) to which the ACL applies. Refer to the section Configuring Logical Interfaces on page 22.


CAUTION: If you assign a rule to an interface, you or another user may lose access to the unit.

Setting Up an ACL

To set up an ACL

  1. Access the page System ▶ACL.
    A summary of all lists that have been configured is displayed. For more information on specific parameters, refer to the table at the end of this procedure.

  2. Click Add to add a new ACL, or click the Name of an existing ACL to edit its settings.

  3. Complete the required fields, then click Apply.

For more information on specific parameters, refer to the following table.

ACL Definition Summary (System ▶ACL)

ParameterDescription
NameThe name of the ACL list.
StateThe state of the list:
  • Assigned: The list is used by at least one interface.
  • Unassigned: The list is not currently used by an interface.
Interface ListNames of the interfaces using this list.

Clicking on an interface name will open the ACL statistics, showing the number of packets hit, on a per-rule basis, for this specific interface.

ACL Definition

ParameterDescription
TypeThe type of ACL list:
  • ipsrc: IPv4 address values are filtered.
  • macsrc: MAC address values are filtered.
ValueThe source addresses (IP or MAC) to filter. IP addresses can be entered using a subnet mask.

If the Type is ipsrc:

  • Unique IPv4 address (e.g. 192.168.0.100)
  • IPv4 subnet (e.g. 192.0.2.0/24)
If Type is macsrc:
  • Unique MAC address
ActionThe filter action to take:
  • Drop: This rule drops CPU-destined frames/packets coming from the address specified in the field Value.
  • Accept: This rule accepts CPU-destined frames/packets coming from the address specified in the Value field.
Note: Frames/packets that are dropped from a higher-priority rule cannot be recovered with an Accept rule.
NameThe name of the rule.
PriorityThe priority of the rule.

Range: 1–255 (1 is the highest priority)

StateEnable or disable the rule.
PacketsThe number of packets that have been intercepted by the rule:
  • If the Action is set to Accept for this rule, the number of packets accepted and sent to the CPU for processing.
  • If the Action is set to Drop for this rule, the number of packets dropped.

Deleting an ACL

To delete an ACL

  1. Access the page System ▶ACL.

  2. Click the ACL Name to delete.

  3. Click Delete.

Viewing ACL Statistics

To view ACL statistics for each interface

  1. Access the page System ▶ACL.

  2. Click the name of the interface in the Interface List.
    A count of Packets for each ACL rule defined is displayed. The Default Dropped Packets statistic (i.e. associated with the default rule) is displayed at the top of the page.
    For more information on specific parameters, refer to the table "ACL Definition Summary ( System ▶ACL)".

  3. To clear the statistics, click the Clear button.

  4. To update the statistics, click the Refresh button.

© 2024 Cisco and/or its affiliates. All rights reserved.
 
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms

For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks



Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.