Description:
TACACS+ (Terminal Access Controller Access-Control System) is a protocol for authentication, authorization and accounting (AAA) of users. It provides access to the network only for certain users (authentication), it regulates the permissions of those users (authorization), and it logs user interactions (accounting) on the network. TACACS+ is an alternative to other AAA protocols such as RADIUS.
This article describes how to set up TACACS+ on an access point or router with LCOS and any special characteristics that have to be observed when logging on.
Requirements:
- LCOS as of version 9.24 (download latest version)
- LANtools as of version 9.24 (download latest version)
- Any browser for access via WEBconfig
- Any SSH client for command-line access (e.g. PuTTY)
Procedure:
1) Configuration steps on the access point / router:
Although TACACS+ can be set up via LANconfig or the configuration menu in WEBconfig, this only activates authentication. Authorization and accounting can only be activated via the command line or in the LCOS menu tree in WEBconfig. For this reason it makes sense to set up TACACS+ entirely from the command line.
The ongoing command-line session will not be terminated when TACACS+ is configured. This allows the commands to be entered individually without the risk of locking yourself out of the device.
1.1) Connect to the device via the command line and enter the command to add a TACACS+ server in the format add Setup/TACACS+/Server/{Server-Address}<IP-Address or DNS name of the TACACS+ server>.
A backup server can be configured if available. For this purpose, a second entry must be created in the path Setup/TACACS+/Server/. The second server then acts as a backup.
To do this, enter the command in the format add Setup/TACACS+/Server/{Server-Address} <IP address or DNS name of the backup TACACS+ server>.
1.2) Enter the command to set the secret key in the format set Setup/TACACS+/Shared-Secret<Secret-Key>. The secret key is used to authenticate the device on the TACACS+ server.
1.3) To enable authorization and accounting, enter the following commands. Authorization and accounting are optional.
set Setup/TACACS+/Authorisation activated
set Setup/TACACS+/Accounting activated
1.4) Finally, enter the command set Setup/Config/Authentication TACACS+ to use TACACS+ for authentication on the device.
Important TACACS+ parameters
Setup/Tacacs+/Fallback-to-local-users
The Fallback-to-local-users parameter controls whether the system falls back to the local users if the TACACS+ server(s) is(are) not reachable. In the default configuration, the fallback is allowed.
Authorization-Type
The parameter Authorization-Type controls whether each terminal command is authorized individually (Commands) or whether access is fully authorized once only (Shell). In the default configuration, each terminal command is authorized individually.
2) Accessing and editing the device configuration:
2.1) Accessing and editing the device configuration via LANconfig:
Configuring the device with LANconfig is only possible with the root user (the user root has Supervisor rights). On the TACACS+ server, therefore, the user root must be given the appropriate permissions.
If both the authentication and the authorization are to be used, the user root must be allowed to use the commands readconfig and writeconfig.
Enter your credentials in the LANconfig login mask:
- Administrator: Enter root. Unlike the regular login, using TACACS+ does not implicitly use the user root, which is why it must be entered manually.
- Password: Enter the password for the root user.
2.2) Access and edit the device configuration using WEBconfig:
If a normal user accesses the device configuration via WEBconfig (and not the root user), the user initially receives read-only rights only. No further commands can be executed. In order for the user to obtain extended permissions, the user or group must be assigned an “enable” password on the TACACS server.
2.2.1) Enter Name of the TACACS user and click Login.
2.2.2) Under Message to the TACACS+ Server, enter the password of the TACACS user and click Login.
2.2.3) Go to the menu Extras → Change Privilege Level.
2.3.4) Select the desired Privilege Level and enter the “enable” password. Then click Change level.
2.3) Accessing and editing the device configuration from the command line:
2.3.1) Access and edit the device configuration from the command line with authentication enabled:
If a normal user accesses the device configuration via the command line (and not the root user), the user initially receives read-only rights only. No further commands can be executed. In order for the user to obtain extended permissions, the user or group must be assigned an “enable” password on the TACACS server.
2.3.1.1) On the command line, enter the TACACS user followed by the corresponding password.
2.3.1.2) Enter the command enable followed by the “enable” password.
2.3.2) Access and edit the device configuration from the command line with authentication and authorization enabled:
With authorization enabled, all commands that are to be executed on the device must explicitly be stored in the TACACS+ server.
The enabled commands and arguments can be found on the following page in the Reference Manual:
If an unauthorized command is executed on the device, it displays the message Command execution prohibited by TACACS+.
3) Assigning rights under TACACS+:
TACACS+ uses privilege levels to separate users into different groups. For the local authorization of users via the “enable” command on the command line or via privilege levels under WEBconfig, the various administrator rights of LCOS are mapped to the TACACS+ privilege levels:
| TACACS+-Level | Administrator rights |
|---|---|
| 0 | No rights |
| 1 | Read-Only |
| 3 | Read-Write |
| 5 | Read-Only-Limited-Admin |
| 7 | Read-Write-Limited-Admin |
| 9 | Read-Only Admin |
| 11 | Read-Write Admin |
| 15 | Supervisor (Root) |
