TACACS and AAA

From Braindisconnect
Jump to: navigation, search

TACACS+ stands for Terminal Access Controller Access-Control System Plus. TACACS provides AAA systems mainly used for network devices.

AAA stands for Authentication, Authorization, and Accounting.

  • Authentication – Validates users and systems
  • Authorization – Allow access based on user, system, or process
  • Accounting – Tracking who accessed the device and what they did

Alcatel-Lucent Router

configure system security
     password
	authentication-order tacplus local
	attempts 5 time 5 lockout 5
     exit
     tacplus
	timeout 5
	server 1 address <acs server IP> secret "<shared key>"
	authorization
	accounting
	no shutdown
    exit
exit

ALU devices typically use the system interface as a source IP address.

Cisco

AAA Model Configuration Statements

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login vtymethod group tacacs+ local
aaa authentication login nopass none
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated 
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+

Assign an Interface that was used in the ACS Configuration

Typically it will either be the loopback interface or the interface in which the packet hits first to get to the device.

ip tacacs source-interface <source interfaceIP>

TACACS+ Server and Shared Key

tacacs-server host <acs server IP>
tacacs-server key <shared key>

Cisco Nexus

Enable TACACS feature

feature tacacs+

Configure AAA

tacacs-server host <acs server IP> key <shared secret>
aaa group server tacacs+ ACS 
    server <acs server IP>
    use-vrf management
    source-interface mgmt0
aaa authentication login default group ACS 
aaa accounting default group ACS 

Juniper

EX Series

Set the Authentication Order

set system authentication-order tacplus
set system authentication-order password

Authentication Configuration

set system tacplus-server <acs server IP> port 49 
set system tacplus-server <acs server IP> secret "<shared key>" 
set system tacplus-server <acs server IP> timeout 5 
set system tacplus-server <acs server IP> source-address <source interface IP>

Accounting Configuration

set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting destination tacplus server <acs server IP> secret "<shared key>"
set system accounting destination tacplus server <acs server IP> source-address <source interface IP>

Authorization Configuration aka Login Templates

set system login user remote full-name "all remote users"
set system login user remote class read-only
set system login user neteng full-name "Network Engineers"
set system login user neteng class super-user

ACS Attribute Configuration

Cisco ACS 5.x

In ACS 5.x, you will create a separate Access Policy for Juniper. The attribute setting needed will cause issues with Cisco devices if they are using the same policy. The main issue seen will be Privilege denied when attempt to scp a file to or from the device from a server.

You must set a custom attribute under Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles for the Network Engineer group to have super user access level.

Edit the Network Engineer or super user profile and click the Custom Attributes tab and add:

Attribute=local-user-name
Value=neteng

HP

AAA Model Configuration Statements

aaa authentication login privilege-mode
aaa authentication console login tacacs local
aaa authentication console enable tacacs local
aaa authentication ssh login tacacs local
aaa authentication ssh enable tacacs local

TACACS+ Server and Shared Key

tacacs-server host <acs server IP>
tacacs-server key "<shared key>"