Description:

TACACS+ (Terminal Access Controller Access-Control System) is a protocol for authentication, authorization and accounting (AAA) of users. It provides access to the network only for certain users (authentication), it regulates the permissions of those users (authorization), and it logs user interactions (accounting). TACACS+ is an alternative to other AAA protocols such as RADIUS.

This article describes how to set up TACACS+ on a GS-24xx / GS-3xxx / XS-3xxx series switch, along with any special characteristics that have to be observed when logging on. 

Requirements:

Procedure:

1) Configuration steps on the switch:

1.1) Connect to the web interface of the switch and navigate to the menu Security → TACACS+.

Open the menu TACACS

1.2) Under Server Configuration click Add New Server.

Add a new TACACS server

1.3) Modify the following parameters and then click Apply:

Enter the IP address and secret key for the TACACS server

1.4) Switch to the menu Security → Management → Auth Method.

Open the menu Auth method

1.5) For the required management protocols (under Client), look under Methods and select the option tacacs. Set the second option to local to provide a fallback to the local user table if the TACACS+ server(s) cannot be reached.

Activate authentication for the management protocols

1.6) Under Command Authorization Method Configuration, set the Method for the desired protocol to the option tacacs to enable TACACS authorization.

You can optionally set the parameters for Cmd Lvl and Cfg Cmd:

  • Cmd Lvl: All commands with this privilege level and higher require authorization.
  • Cfg Cmd: Activating this parameter means that configuration commands also require authorization.

Authorization can only be enabled for configuration via command line, Telnet, and SSH, but not for the web interface.

Activate authorization for the management protocols

1.7) Under Accounting Method Configuration, set the Method for the desired protocol to the option tacacs to enable TACACS accounting.

You can optionally set the parameters for Cmd Lvl and Cfg Cmd:

  • Cmd Lvl: All commands with this privilege level and higher are logged by the accounting.
  • Exec: Activating this parameter means that logins are logged by the accounting.

The Accounting can only be enabled for configuration via command line, Telnet, and SSH, but not for the web interface.

Activate Accounting for the management protocols

1.8) Confirm the message that follows by clicking OK.

Acknowledge the message regarding Telnet

1.9) Save the configuration as the startup configuration by clicking the red floppy disk icon at top-right.

The start configuration is retained even if the device is restarted or there is a power failure.

Save the configuration

1.10) Confirm the message by clicking OK

Acknowledge the message regarding saving the configuration



2) Accessing and editing the device configuration:

In the standard configuration the different configuration components are assigned different privilege levels, with the majority of the configuration being processed with privilege level 10.

The privilege level required for individual parts of  the configuration can be adjusted in the menu Security → Management → Privilege-Levels.


2.1) Accessing and editing the device configuration from the web interface:

2.1.1) Enter your login details in the web-interface login screen and click Login:

Login menu of the switch with TACACS

2.1.2) If you invoke a menu as a user without the required privilege level, the message Insufficient Privilege Level is displayed. Access to the menu is not possible. 

Message regarding insufficient user rights


2.2) Accessing and editing the device configuration from the command line:

On the command line, enter the TACACS user followed by the corresponding password

Login to the switch with the TACACS user via the CLI