Quelle anzeigen

Description:

TACACS+ (Terminal Access Controller Access-Control System) is a protocol for authentication, authorization and accounting (AAA) of users. It provides access to the network only for certain users (authentication), it regulates the permissions of those users (authorization), and it logs user interactions (accounting). TACACS+ is an alternative to other AAA protocols such as RADIUS.

This article describes how to set up TACACS+ on a switch of the GS-23xx series, along with any special characteristics that have to be observed when logging on.

Requirements:

LCOS SX as of version 3.34 RU9 (download latest version)
Any browser for access via the web interface

Procedure:

1) Configuration steps on the switch:

1.1) Connect to the web interface of the switch and navigate to the menu Security → AAA → Configuration.

Open the menu AAA Configuration

1.2) Under TACACS+ Authorization and Accounting Configuration, adjust the following parameters:

Authorization: From the drop-down menu, select the option Enabled.
Fallback to Local Authorization: From the drop-down menu, select the option Enabled. This provides a fallback to the local user table if the TACACS+ server(s) cannot be reached.
Accounting: From the drop-down menu, select the option Enabled.

Authorization and Accounting are optional.

Activate Authorization and Accounting for TACACS

1.3) Under TACACS+ Authentication Server Configuration, edit the following parameters and then click Apply:

Check the Enabled box to enable the entry for the TACACS+ server.
Under IP Address/Hostname, enter the IP address or DNS name of the TACACS+ server (in this example 192.168.1.100).
Change the Port if necessary. For this example we are using the standard port 49.
Under Secret, enter the Secret Key. The secret key is used to authenticate the device on the TACACS+ server.

Enter the IP address and the secret key for the TACACS serverCS-Server eintragen

1.4) Go to the menu Security → HTTPS → Auth Method.

Open the menu Auth Method

1.5) For the required management protocols (Client), set the Authentication Method to the option TACACS+. Additionally enable the Fallback option to provide a fallback to the local user table if the TACACS+ server(s) cannot be reached.

Then click Apply.

Activate TACACS for the management protocols

1.6) Then navigate to the menu Maintenance → Save/Restore → Save Start and click Save so that the configuration is saved as the Start configuration.

The start configuration is retained even if the device is restarted or there is a power failure.

Save the configuration as start configuration

2) Accessing and editing the device configuration:

In the standard configuration, the configuration components can only be modified with privilege level 15. With a different privilege level the configuration can be read via the web interface but no changes can be made (the button Apply is grayed out). From the command line it is possible to access the top paths of the configuration (e.g. LMC), but it is not possible to read or modify the configuration.

The privilege level required for individual parts of the configuration can be adjusted in the menu System → Account → Privilege-Level.

2.1) Accessing and editing the device configuration from the web interface:

Enter your login details in the web-interface login screen and click Login:

Username: Enter the TACACS user (in this example TACACS-User).
Password: Enter the password for the TACACS user.

Login mask of the switch with active TACACS

2.2) Accessing and editing the device configuration from the command line:

On the command line, enter the TACACS user followed by the corresponding password.

Login to the switch with the TACACS user via the CLI