Description:
TACACS+ (Terminal Access Controller Access-Control System) is a protocol for authentication, authorization and accounting (AAA) of users. It provides access to the network only for certain users (authentication), it regulates the permissions of those users (authorization), and it logs user interactions (accounting). TACACS+ is an alternative to other AAA protocols such as RADIUS.
This article describes how to set up TACACS+ on a switch of the GS-23xx series, along with any special characteristics that have to be observed when logging on.
Requirements:
- LCOS SX as of version 3.34 RU9 (download latest version)
- Any browser for access via the web interface
Procedure:
1) Configuration steps on the switch:
1.1) Connect to the web interface of the switch and navigate to the menu Security → AAA → Configuration.
1.2) Under TACACS+ Authorization and Accounting Configuration, adjust the following parameters:
- Authorization: From the drop-down menu, select the option Enabled.
- Fallback to Local Authorization: From the drop-down menu, select the option Enabled. This provides a fallback to the local user table if the TACACS+ server(s) cannot be reached.
- Accounting: From the drop-down menu, select the option Enabled.
Authorization and accounting are optional.
1.3) Under TACACS+ Authentication Server Configuration, edit the following parameters and then click Apply:
- Check the Enabled box to enable the entry for the TACACS+ server.
- Under IP Address/Hostname, enter the IP address or DNS name of the TACACS+ server.
- Change the Port if necessary. For this example we are using the standard port 49.
- Under Secret, enter the Secret Key. The secret key is used to authenticate the device on the TACACS+ server.
1.4) Go to the menu Security → HTTPS → Auth Method.
1.5) For the required management protocols (Client), set the Authentication Method to the option TACACS+. Additionally enable the Fallback option to provide a fallback to the local user table if the TACACS+ server(s) cannot be reached.
Then click Apply.
1.6) Then navigate to the menu Maintenance → Save/Restore → Save Start and click Save so that the configuration is saved as a Start configuration.
The start configuration is retained even if the device is restarted or there is a power failure.
2) Accessing and editing the device configuration:
In the standard configuration, the configuration components can only be modified with privilege level 15. With a different privilege level the configuration can be read via the web interface but no changes can be made (the button Apply is grayed out). From the command line it is possible to access the top paths of the configuration (e.g. LMC), but it is not possible to read or modify the configuration.
The privilege level required for individual parts of the configuration can be adjusted in the menu System → Account → Privilege-Level.
2.1) Accessing and editing the device configuration from the web interface:
Enter your login details in the web-interface login screen and click Login:
- Username: Enter the TACACS user (in this example TACACS-User).
- Password: Enter the password for the TACACS user.
2.2) Accessing and editing the device configuration from the command line:
On the command line, enter the TACACS user followed by the corresponding password.
