Using TACACS+ Authentication
  • 04 Nov 2024
  • 4 Minutes to read
  • Contributors
  • PDF

Using TACACS+ Authentication

  • PDF

Article summary

You can use a TACACS+ server to authenticate users. When TACACS+ authentication is enabled, the Cisco Provider Connectivity Assurance Sensor Control supports Authentication and Authorization as configured on the TACACS+ server. A TACACS+ server can be useful if you want to centrally manage user accounts instead of managing them separately on each sensor: control. A sensor: control can be configured to connect to a second TACACS+ server, allowing for TACACS+ server redundancy.

Configuring TACACS+ Session Parameters

▶ To configure TACACS+ session parameters

  1. Access the page System ▶ Session ▶ TACACS+.

    The TACACS+ Configuration form displays.

  2. Complete the required fields, then click Apply.

    For information, see TACACS+ Configuration Parameters.

TACACS+ Configuration Parameters

This section describes the TACACS+ Configuration form parameters.

General

ParameterDescription
Authentication MethodAuthentication method to be used by the TACACS+ server.

Available options:

  • PAP: Password Authentication Protocol
  • CHAP: Challenge-Handshake Authentication Protocol
  • ASCII: American Standard Code for Information Interchange
TACACS+ TimeoutLapse of time that the TACACS+ client will wait before retrying the connection, expressed in seconds.

After the specified number of retries has been exhausted, a connection to the next configured server will be attempted, for which the same timeout and retry scheme applies.

TACACS+ RetriesNumber of times to retry the server before attempting to connect to the next configured TACACS+ server.
Show Advanced SettingsSelect to display the TACACS+ Service Name and TACACS+ Privilege Level Attribute parameters.
TACACS+ Service NameName of the service to pass to TACACS+ for authorization.

Appears when you select Show Advanced Settings.

Default value: shell

TACACS+ Privilege Level AttributeAttribute to extract from the authorization response to determine the privilege level of the user requesting authentication.

Appears when you select Show Advanced Settings.

Default value: priv-lvl

Server-1 / Server-2

ParameterDescription
HostTACACS+ server's host-name or IP address.

Note: To disable this server, enter 0.0.0.0 or :: as the address.

PortTCP port on the TACACS+ server to connect to.
SecretShared secret for this TACACS+ server.

Maximum length: 64 characters

Show SecretSelect to display the shared secret for this TACACS+ server in plain text.
Source AddressOptional bind address associated with this TACACS+ client.

Note: This parameter is only used when the TACACS+ server validates the address of the Sensor Control.

TACACS+ Server Configuration Examples

The following examples are configurations for the TACACS+ server, not for the Sensor Control. They can be applied to a tac_plus server; configuration values may differ for other servers.

Logging in is a two-part process. First, the user is authenticated. Once authenticated, the user may be authorized to gain rights on the system. The server should return AV (attribute-value) pairs for the requested service name.

The first attribute, the privilege level (usually priv-lvl), is evaluated first. This attribute is a numerical value that should be between 0 and 15. On this system, an attribute value of 15 grants Admin rights (All-show, All-Add, All-edit), and all other attribute values grant Viewer rights (All-show). If the specified attribute value is not found, the login attempt is refused because the AV pair was not supplied by the server.

The second attribute, the privilege list (accedian-priv-list), is subsequently evaluated. This attribute is an optional attribute, and is ignored if the privilege level is already set to 15 (Admin). The purpose of this attribute is to provide a fine-grained permissions mechanism. The permissions are the same as those that can be configured locally on the Sensor Control. The list of tokens is separated by commas. The case-sensitive tokens you indicate can be a mix of locally-defined user permission groups and individual privileges.


Note: You cannot view TACACS+ assigned permissions with the CLI or Webbased interface.

Following are configuration examples for the TACACS+ Server using these attributes.

▶ To assign a user to the built-in Admin group

user = tacadmin {
login = cleartext tacadmin
pap = cleartext tacadmin
name = "Test Admin"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 15
}
}

▶ To assign a user viewer-only privileges

user = tacviewer {
login = cleartext tacviewer
pap = cleartext tacviewer
name = "Test Tac Viewer"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 1
}
}

▶ To assign a user a customized set of privileges

user = taccfm {
login = cleartext taccfm
pap = cleartext taccfm
name = "Test Tac User CFM"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 1
accedian-priv-list = CFM,PAA
}
}

If a user is authenticated by TACACS+, but no attributes are specified in the server configuration, the permissions will be set as follows:

  • If the username exists locally: Local permissions, as configured on the Sensor Control
  • If the username does not exist locally: Viewer-only permissions

© 2024 Cisco and/or its affiliates. All rights reserved.
 
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms

For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks



Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.