Using a TACACS+ Server for Authentication

23 Jan 2024
7 Minutes to read
Contributors

Using a TACACS+ Server for Authentication

Updated on 23 Jan 2024
7 Minutes to read
Contributors

Article summary

Did you find this summary helpful?

Thank you for your feedback

You can use a TACACS+ server for authenticating users. When TACACS+ authentication is enabled, the unit supports Authentication and Authorization as configured on the TACACS+ server. A TACACS+ server can be useful if you want to centrally manage user accounts instead of managing them on each unit individually. The unit can be configured to connect to a second TACACS+ server, allowing for TACACS+ server redundancy.

To configure TACACS+ session parameters

Access the page System ▶Session ▶TACACS+.
Complete the required fields, then click Apply.

For more information on specific parameters, refer to the following table.

TACACS+ Configuration (System ▶Session ▶TACACS+)
General

Parameter	Description
Authentication Method	The authentication method to be used by the TACACS+ server. The only option available is: PAP: Password Authentication Protocol.
TACACS+ Timeout	The lapse of time that the TACACS+ client will wait before retrying the connection expressed in seconds. After the specified number of retries has been exhausted, a connection to the next configured server will be attempted, for which the same timeout and retry scheme apply.
TACACS+ Retries	The number of times to retry the server before attempting to
connect to the next configured TACACS+ server.
TACACS+ Service Name	The name of the service to pass to TACACS+ for authorization. The default value is shell. Note: This field is displayed only if the Show Advanced Settings box is checked.
TACACS+ Privilege Level Attribute	The attribute to extract from the authorization response in order to determine the privilege level of the user requesting authentication. The default value is priv-lvl. Note: This field is displayed only if the Show Advanced Settings box is checked.

Server-1 / Server-2

Parameter	Description
Host	The TACACS+ server's host-name or IP address. Note: To disable this server, enter 0.0.0.0 or :: as the address.
Port	The TCP port on the TACACS+ server to which you connect.
Secret	The shared secret for this TACACS+ server. Maximum length is 64 characters.
Show Secret	Enable this box to display the shared secret for this TACACS+ server in plain text.
Source Address	The optional bind address associated with this TACACS+ client. Note: This parameter is only used when the TACACS+ server validates the address of the unit.

TACACS+ Server Configuration Examples

The following examples are configurations for the TACACS+ server, not for the unit. They apply to a tac_plus server; configuration values may differ for other servers.

Logging in is a two-part process. First, the user is authenticated. Once authenticated, the user may be authorized to gain rights on the system. The server should return AV (attribute-value) pairs for the requested service name.

The first attribute, the privilege level (usually priv-lvl), is evaluated first. This attribute is a numerical value that should be between 0 and 15. On this system, an attribute value of 15 grants Admin rights (All-show, All-Add, All-edit), and all other attribute values grant Viewer rights (All-show). If the specified attribute value is not found, the login attempt is refused because the AV pair was not supplied by the server.

The second attribute, the privilege list (accedian-priv-list), is subsequently evaluated. This attribute is an optional attribute and is ignored if the privilege level is already set to 15 (Admin). The purpose of this attribute is to provide a fine-grained permissions mechanism. The permissions are the same as those that can be configured locally on the unit. The list of tokens is separated by commas. The case-sensitive tokens you indicate can be a mix of locally-defined user permission groups and individual privileges.

Note: You cannot view TACACS+ assigned permissions with the CLI or Webbased interface.

Following are configuration examples for the TACACS+ Server using these attributes.

To assign a user to the built-in Admin group
user = tacadmin { login = cleartext tacadmin pap = cleartext tacadmin name = "Test Admin" # 'shell' service referred to as 'exec' # in the config service = exec { priv-lvl = 15 } }

To assign a user viewer-only privileges
user = tacviewer { login = cleartext tacviewer pap = cleartext tacviewer name = "Test Tac Viewer" # 'shell' service referred to as 'exec' # in the config service = exec { priv-lvl = 1 } }

To assign a user a customized set of privileges and sub-privileges
user = taccfm { login = cleartext taccfm pap = cleartext taccfm name = "Test Tac User CFM" service = exec { priv-lvl = 1 accedian-priv-lvl = 7 accedian-priv-list = Config, Config-not rollback }s ervice = accedian { priv-lvl = 1 accedian-priv-list = Config, Config-not-rollback } }

If a user is authenticated by TACACS+ but no attributes are specified in the server configuration, the permissions will be set as follows:

If the username exists locally: Local permissions, as configured on the unit
If the username does not exist locally: Viewer-only permissions

Managing Access Control Lists

You may use an Access Control List (ACL), which is a network access control mechanism, to prevent or allow specific MAC or IP addresses to access the unit for management purposes.

You can create up to 10 lists and each list can contain up to 40 rules. Each rule allows or blocks addresses. Rules are prioritized using the Priority field, with the rule configured with the highest priority applied first.

It is recommended to set the priorities so the most restrictive rules are performed first. For example, a high-priority rule could grant access to a specific IP address within a subnet, and the next rule could deny access to the whole subnet, thus blocking all remaining IP addresses from that subnet. Another example would be to first deny access to subnet 10.10.10.0/26, then allow access to subnet 10.10.0.0/16.

Note: Once all rules have executed, all remaining frames are dropped (this is the default rule). You must therefore ensure the addresses you want to allow are accepted by at least one rule of the ACL.

Once the ACL is created, you can then assign it to one or more interfaces. On each interface you can also select the type of protocol (CLI [SSH and Telnet], WEB, SNMP and NETCONF) to which the ACL applies.

CAUTION: If you assign a rule to an interface, you or another user may lose access to the unit.

Setting Up an ACL

To set up an ACL

Access the page System ▶ACL.
A summary of all lists that have been configured is displayed. For more information on specific parameters, refer to the table at the end of this procedure.
Click Add to add a new ACL, or click the Name of an existing ACL to edit its settings.
Complete the required fields, then click Apply.

For more information on specific parameters, refer to the following tables.

ACL Definition Summary (System ▶ACL)

Parameter	Description
Name	The name of the ACL list.
State	The state of the list: Assigned: The list is used by at least one interface. Unassigned: The list is not currently used by an interface.
Interface List	Names of the interfaces using this list. Clicking on an interface name will open the ACL statistics, showing the number of packets hit, on a per-rule basis, for this specific interface.

Parameter

Description

Name

The name of the ACL list.

State

The state of the list:

Assigned: The list is used by at least one interface.
Unassigned: The list is not currently used by an interface.

Interface List

Names of the interfaces using this list.

Clicking on an interface name will open the ACL statistics, showing the number of packets hit, on a per-rule basis, for this specific interface.

ACL Definition

Parameter	Description
Type	The type of ACL list: ipsrc: IPv4 address values are filtered. macsrc: MAC address values are filtered.
Value	The source addresses (IP or MAC) to filter. IP addresses can be entered using a subnet mask. If the Type is ipsrc: Unique IPv4 address (e.g. 192.168.0.100) IPv4 subnet (e.g. 192.0.2.0/24) If Type is macsrc: Unique MAC address
Action	The filter action to take: Drop: This rule drops CPU-destined frames/packets coming from the address specified in the field Value. Accept: This rule accepts CPU-destined frames/packets coming from the address specified in the Value field. Note: Frames/packets that are dropped from a higher-priority rule cannot be recovered with an Accept rule.
Name	The name of the rule.
Priority	The priority of the rule. Range: 1–255 (1 is the highest priority)
State	Enable or disable the rule.
Packets	The number of packets that have been intercepted by the rule: If the Action is set to Accept for this rule, the number of packets accepted and sent to the CPU for processing. If the Action is set to Drop for this rule, the number of packets dropped.

Deleting an ACL

To delete an ACL

Access the page System ▶ACL.
Click the ACL Name to delete.
Click Delete.

Viewing ACL Statistics

To view ACL statistics for each interface

Access the page System ▶ACL.
Click the name of the interface in the Interface List.
A count of Packets for each ACL rule defined is displayed. The Default Dropped Packets statistic (i.e. associated with the default rule) is displayed at the top of the page.
For more information on specific parameters, refer to the table "ACL Definition Summary (System ▶ACL)".
To clear the statistics, click the Clear button.
To update the statistics, click the Refresh button.

© 2024 Cisco and/or its affiliates. All rights reserved.

For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks

Was this article helpful?

What's Next

Managing Access Control Lists

Table of contents