| PageIdMakro |
|---|
| Seiteneigenschaften |
|---|
Description:
TACACS+ (Terminal Access Controller Access-Control System) is a protocol for the authentication, authorization, and accounting (AAA) of users. It provides access to the network only for certain users (authentication), it regulates the permissions of those users (authorization), and it logs user interactions (accounting). TACACS+ is an alternative to other AAA protocols such as RADIUS.
This article describes how to set up TACACS+ on an XS-51xx / XS-61xx and GS-45xx series switch, along with any special characteristics that have to be observed when logging on.
Requirements:
- LCOS SX as of version 5.20 RU10 (download latest version)
- Any browser for access via the web interface
Procedure:
1) Configuration steps on the switch:
1.1) Connect to the web interface of the switch and navigate to the menu Security → TACACS+ → Server Summary.
1.2) Click Add to create an entry for a server.
1.3) Modify the following parameters and then click Submit:
...
| Info |
|---|
An option is to store additional entries for TACACS+ servers. These act as a backup in case the first server is not accessible. Up to five TACACS+ servers can be entered. |
1.4) Navigate to the menu System → AAA → Authentication List.
1.5) Select the required protocol (in this example HTTPS with the httpslist) and click Edit to make further settings.
| Info |
|---|
The protocols HTTP (httplist) and Telnet and SSH (networklist) are selected in a similar way. |
1.6) Under Selected Methods, choose the option Local and click the arrow icon pointing left to remove it.
1.7) Under Available Methods, hold down the <CTRL> button and select the options TACACS and Local and add them by clicking the arrow icon pointing to the right.
| Info |
|---|
The methods under Selected Methods are run through in sequence. Therefore the first must be set as TACACS and then Local. If the TACACS+ server cannot be reached, authentication falls back on the local user table. |
1.8) Click Submit to accept the changes.
1.9) Go to the Authorization List tab and select the list dfltCmdAuthList. Then click Edit to make further settings.
| Info |
|---|
Authorization can only be enabled for configuration via command line, Telnet, and SSH, but not for the web interface. If you execute steps 1.10 to 1.12 for the dfltExecAuthList as well, the login will be performed with extended rights. The extended rights therefore do not have to be requested separately using the Enable command. |
1.10) Under Selected Methods, choose the option None and click the arrow icon pointing left to remove it.
1.11) Under Available Methods, choose the option TACAS and click the arrow icon pointing right to add it.
1.12) Click Submit to accept the changes.
1.13) Change to the tab Accounting List and make sure that the dfltCmdList and dfltExecList are set as shown in the screenshot.
| Info |
|---|
If the settings differ, you can reset the lists to the default values by clicking the “power-on” symbol. |
1.14) Change to the tab Accounting Selection and, for each entry, make sure that Exec is set to dfltExecList and that Commands is set to dfltCmdList.
1.15) Click Save Configuration in the top right-hand corner to save the configuration as the start configuration.
| Info |
|---|
The start configuration is retained even if the device is restarted or there is a power failure. As an alternative, the current configuration can be saved as the Start Configuration from the command line with the command write memory. |
1.16) Confirm the message by clicking OK.
1.17) This concludes the configuration steps on the switch.
...
- Username: Enter the TACACS user (in this example TACACS-User).
- Password: Enter the password for the TACACS user.
2.2) Accessing and editing the device configuration from the command line:
2.2.1) On the command line, enter the TACACS user followed by the corresponding password.
2.2.2) If an unauthorized command is executed on the device, it displays the message Command is not authorized.
...
| Inhalt nach Stichwort | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|