TACACS and AAA
TACACS+ stands for Terminal Access Controller Access-Control System Plus. TACACS provides AAA systems mainly used for network devices.
AAA stands for Authentication, Authorization, and Accounting.
- Authentication – Validates users and systems
- Authorization – Allow access based on user, system, or process
- Accounting – Tracking who accessed the device and what they did
Alcatel-Lucent Router
configure system security
password
authentication-order tacplus local
attempts 5 time 5 lockout 5
exit
tacplus
timeout 5
server 1 address <acs server IP> secret "<shared key>"
authorization
accounting
no shutdown
exit
exit
ALU devices typically use the system interface as a source IP address.
Cisco
AAA Model Configuration Statements
aaa new-model aaa authentication login default group tacacs+ local aaa authentication login vtymethod group tacacs+ local aaa authentication login nopass none aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+
Assign an Interface that was used in the ACS Configuration
Typically it will either be the loopback interface or the interface in which the packet hits first to get to the device.
ip tacacs source-interface <source interfaceIP>
tacacs-server host <acs server IP> tacacs-server key <shared key>
Cisco Nexus
Enable TACACS feature
feature tacacs+
Configure AAA
tacacs-server host <acs server IP> key <shared secret>
aaa group server tacacs+ ACS
server <acs server IP>
use-vrf management
source-interface mgmt0
aaa authentication login default group ACS
aaa accounting default group ACS
Juniper
EX Series
Set the Authentication Order
set system authentication-order tacplus set system authentication-order password
Authentication Configuration
set system tacplus-server <acs server IP> port 49 set system tacplus-server <acs server IP> secret "<shared key>" set system tacplus-server <acs server IP> timeout 5 set system tacplus-server <acs server IP> source-address <source interface IP>
Accounting Configuration
set system accounting events login set system accounting events change-log set system accounting events interactive-commands set system accounting destination tacplus server <acs server IP> secret "<shared key>" set system accounting destination tacplus server <acs server IP> source-address <source interface IP>
Authorization Configuration aka Login Templates
set system login user remote full-name "all remote users" set system login user remote class read-only set system login user neteng full-name "Network Engineers" set system login user neteng class super-user
ACS Attribute Configuration
Cisco ACS 5.x
In ACS 5.x, you will create a separate Access Policy for Juniper. The attribute setting needed will cause issues with Cisco devices if they are using the same policy. The main issue seen will be Privilege denied when attempt to scp a file to or from the device from a server.
You must set a custom attribute under Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles for the Network Engineer group to have super user access level.
Edit the Network Engineer or super user profile and click the Custom Attributes tab and add:
Attribute=local-user-name Value=neteng
HP
AAA Model Configuration Statements
aaa authentication login privilege-mode aaa authentication console login tacacs local aaa authentication console enable tacacs local aaa authentication ssh login tacacs local aaa authentication ssh enable tacacs local
tacacs-server host <acs server IP> tacacs-server key "<shared key>"
