Description:
TACACS+ (Terminal Access Control Access Control Server) is a protocol for the authentication, authorization and accounting (AAA) of users. It provides access to the network only for certain users (authentication), it regulates the permissions of those users (authorization) and it logs user interactions (accounting). TACACS+ is an alternative to other AAA protocols such as RADIUS.
This article describes how to set up TACACS+ on an access point with LCOS LX (LW-xxx, LX-xxxx, OW-xxx and OX-xxxx series) and special characteristics that have to be observed when logging on.
Requirements:
- LCOS LX as of version 6.20 Rel (download latest version)
- LANtools as of version 10.80 RU8 (download latest version)
- Any SSH client for command-line access (e.g. PuTTY)
Procedure:
1) Configuration steps on the access point:
1.1) Open the configuration of the access point in LANconfig and switch to the menu item Management → Admin → TACACS+ settings.
1.2) Change the following parameters:
- Operating: From the drop-down menu, select the option Yes.
- Server address: Enter the IP address of the primary TACACS+ server (in this example 192.168.10.100).
- Server port: Check that the port is set to 49. If you have changed the port on the TACACS+ server, it must be set to the same port here.
- Server secret: Enter the Server secret for authentication with the TACACS+ server (in this example secretkey).
You can add a backup server if required. This is used when the primary TACACS+ server is unreachable.
1.3) This concludes the configuration of TACACS+ on the access point. You can now write the configuration back to the device.
2) Accessing and editing the device configuration:
When using TACACS+, WEBconfig is disabled and therefore cannot be used.
If the TACACS+ server grants the privilege level 15, the user is assigned “root” permissions. In this case, no further authorization takes place. All other privilege levels are ignored, and thus treated equally. Authorization always takes place here.
2.1) Accessing and editing the device configuration via LANconfig:
Without any restrictions on the TACACS user, they can make any changes with LANconfig. This differs from the implementation in LCOS, where login via LANconfig is only possible with the user “root”.
2.1.1) Enter your credentials in the LANconfig login mask:
- Administrator: Enter the TACACS user (in this example TACACS-User).
- Password: Enter the password for the TACACS user.
2.1.2) When using TACACS+, LANconfig always asks whether the access credentials are correct when writing configuration changes. Confirm the message by clicking on Ignore.
2.2) Accessing and editing the device configuration from the command line:
Without any restrictions for the TACACS user, they can make any changes from the command line. This differs from the implementation in LCOS, where the user initially only has “read-only” permissions and can request extended rights via an “enable” password.
2.2.1) On the command line, enter the TACACS user followed by the corresponding password.
2.2.2) If a restricted user executes a prohibited command (in this example the entire setup tree is locked), the message not allowed is issued.
