.svg?sv=2022-11-02&spr=https&st=2024-11-22T15%3A14%3A04Z&se=2024-11-22T15%3A24%3A04Z&sr=c&sp=r&sig=DSVBymEL42f%2FrGKgmIF8b6uMXTNW26cksEoQUTSFPjg%3D){kind=logo}
Using TACACS+ Authentication
- 25 Sep 2024
- 4 Minutes to read
- Contributors
- Print
- PDF
Using TACACS+ Authentication
- Updated on 25 Sep 2024
- 4 Minutes to read
- Contributors
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
You can use a TACACS+ server to authenticate users. When TACACS+ authentication is enabled, the Cisco Provider Connectivity Assurance Sensor Control supports Authentication and Authorization as configured on the TACACS+ server. A TACACS+ server can be useful if you want to centrally manage user accounts instead of managing them separately on each Sensor Control. A Sensor Control can be configured to connect to a second TACACS+ server, allowing for TACACS+ server redundancy.
Configuring TACACS+ Session Parameters
▶ To configure TACACS+ session parameters
Access the page System ▶ Session ▶ TACACS+.
The TACACS+ Configuration form displays.
Complete the required fields, then click Apply.
For information, see TACACS+ Configuration Parameters.
TACACS+ Configuration Parameters
This section describes the TACACS+ Configuration form parameters.
General
| Parameter | Description |
|---|---|
| Authentication Method | Authentication method to be used by the TACACS+ server. Available options:
|
| TACACS+ Timeout | Lapse of time that the TACACS+ client will wait before retrying the connection, expressed in seconds. After the specified number of retries has been exhausted, a connection to the next configured server will be attempted, for which the same timeout and retry scheme applies. |
| TACACS+ Retries | Number of times to retry the server before attempting to connect to the next configured TACACS+ server. |
| Show Advanced Settings | Select to display the TACACS+ Service Name and TACACS+ Privilege Level Attribute parameters. |
| TACACS+ Service Name | Name of the service to pass to TACACS+ for authorization. Appears when you select Show Advanced Settings. Default value: shell |
| TACACS+ Privilege Level Attribute | Attribute to extract from the authorization response to determine the privilege level of the user requesting authentication. Appears when you select Show Advanced Settings. Default value: priv-lvl |
Server-1 / Server-2
| Parameter | Description |
|---|---|
| Host | TACACS+ server's host-name or IP address. Note: To disable this server, enter 0.0.0.0 or :: as the address. |
| Port | TCP port on the TACACS+ server to connect to. |
| Secret | Shared secret for this TACACS+ server. Maximum length: 64 characters |
| Show Secret | Select to display the shared secret for this TACACS+ server in plain text. |
| Source Address | Optional bind address associated with this TACACS+ client. Note: This parameter is only used when the TACACS+ server validates the address of the Sensor Control. |
TACACS+ Server Configuration Examples
The following examples are configurations for the TACACS+ server, not for the Sensor Control. They can be applied to a tac_plus server; configuration values may differ for other servers.
Logging in is a two-part process. First, the user is authenticated. Once authenticated, the user may be authorized to gain rights on the system. The server should return AV (attribute-value) pairs for the requested service name.
The first attribute, the privilege level (usually priv-lvl), is evaluated first. This attribute is a numerical value that should be between 0 and 15. On this system, an attribute value of 15 grants Admin rights (All-show, All-Add, All-edit), and all other attribute values grant Viewer rights (All-show). If the specified attribute value is not found, the login attempt is refused because the AV pair was not supplied by the server.
The second attribute, the privilege list (accedian-priv-list), is subsequently evaluated. This attribute is an optional attribute, and is ignored if the privilege level is already set to 15 (Admin). The purpose of this attribute is to provide a fine-grained permissions mechanism. The permissions are the same as those that can be configured locally on the Sensor Control. The list of tokens is separated by commas. The case-sensitive tokens you indicate can be a mix of locally-defined user permission groups and individual privileges.
Note: You cannot view TACACS+ assigned permissions with the CLI or Webbased interface.
Following are configuration examples for the TACACS+ Server using these attributes.
▶ To assign a user to the built-in Admin group
user = tacadmin {
login = cleartext tacadmin
pap = cleartext tacadmin
name = "Test Admin"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 15
}
}
▶ To assign a user viewer-only privileges
user = tacviewer {
login = cleartext tacviewer
pap = cleartext tacviewer
name = "Test Tac Viewer"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 1
}
}
▶ To assign a user a customized set of privileges
user = taccfm {
login = cleartext taccfm
pap = cleartext taccfm
name = "Test Tac User CFM"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 1
accedian-priv-list = CFM,PAA
}
}
If a user is authenticated by TACACS+, but no attributes are specified in the server configuration, the permissions will be set as follows:
- If the username exists locally: Local permissions, as configured on the Sensor Control
- If the username does not exist locally: Viewer-only permissions
© 2024 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks
Was this article helpful?