Description:
TACACS+ (Terminal Access Controller Access-Control System) is a protocol for authentication, authorization and accounting (AAA) of users. It provides access to the network only for certain users (authentication), it regulates the permissions of those users (authorization), and it logs user interactions (accounting). TACACS+ is an alternative to other AAA protocols such as RADIUS.
This article describes how to set up TACACS+ on a GS-3xxx series switch, along with any special characteristics that have to be observed when logging on.
Requirements:
- LCOS SX as of version 4.30 RU4 (download latest version)
- Any browser for access via the web interface
Procedure:
1) Configuration steps on the switch:
1.1) Connect to the web interface of the switch and navigate to the menu Security → TACACS+.
1.2) Under Server Configuration click Add New Server.
1.3) Modify the following parameters and then click Apply:
- Hostname: Enter the IP address or DNS address of the TACAS+ server (in this example 192.168.1.100).
- Port: Change the Port if necessary. For this example we are using the standard port 49.
- Timeout: Leave the timeout blank. This means that the value from the Global Configuration is used (default value 5 seconds).
- Change Secret Key: Enter the Secret Key. The secret key is used to authenticate the device on the TACACS+ server.
1.4) Switch to the menu Security → Management → Auth Method.
1.5) For the required management protocols (under Client), look under Methods and select the option tacacs. Set the second option to local to provide a fallback to the local user table if the TACACS+ server(s) cannot be reached.
1.6) Under Command Authorization Method Configuration, set the Method for the desired protocol to the option tacacs to enable TACACS authorization.
You can optionally set the parameters for Cmd Lvl and Cfg Cmd:
- Cmd Lvl: All commands with this privilege level and higher require authorization.
- Cfg Cmd: Activating this parameter means that configuration commands also require authorization.
Authorization can only be enabled for configuration via command line, Telnet, and SSH, but not for the web interface.
1.7) Under Accounting Method Configuration, set the Method for the desired protocol to the option tacacs to enable TACACS accounting.
You can optionally set the parameters for Cmd Lvl and Cfg Cmd:
- Cmd Lvl: All commands with this privilege level and higher are logged by the accounting.
- Exec: Activating this parameter means that logins are logged by the accounting.
The Accounting can only be enabled for configuration via command line, Telnet, and SSH, but not for the web interface.
1.8) Confirm the message that follows by clicking OK.
1.9) Save the configuration as the startup configuration by clicking the red floppy disk icon at top-right.
The start configuration is retained even if the device is restarted or there is a power failure.
1.10) Confirm the message by clicking OK
2) Accessing and editing the device configuration:
In the standard configuration the different configuration components are assigned different privilege levels, with the majority of the configuration being processed with privilege level 10.
The privilege level required for individual parts of the configuration can be adjusted in the menu Security → Management → Privilege-Levels.
2.1) Accessing and editing the device configuration from the web interface:
2.1.1) Enter your login details in the web-interface login screen and click Login:
- Username: Enter the TACACS user (in this example TACACS-User).
- Password: Enter the password for the TACACS user.
2.1.2) If you invoke a menu as a user without the required privilege level, the message Insufficient Privilege Level is displayed. Access to the menu is not possible.
2.2) Accessing and editing the device configuration from the command line:
On the command line, enter the TACACS user followed by the corresponding password.
