ExtremeSwitching (EXOS)

Expand all | Collapse all

About Tacacs authorization and authentication

  • 1.  About Tacacs authorization and authentication

    Posted 03-04-2018 10:19
    Hello,

    We got demo Extreme network switch to our company for trying it. Actually we have all Cİsco switch and we manage them but we want to try extreme network switch.

    We worked commands of Tacacs by demo extreme switch and i logged in with my username and password. But i cannot do nothing in the switch, i just readonly it. why ?

    And you can see below about CİSCO command and EXTREME command. What's the different please help me about that ?
    .
    CİSCO:

    tacacs-server host X.X.X.X key yyyy
    tacacs-server host X.X.X.X key yyyy
    tacacs-server directed-request

    aaa new model
    aaa authentication login use-tacacs group tacacs+ local enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec use-tacacs group tacacs+ local
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+

    EXTREME:

    configure tacacs primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
    configure tacacs primary shared-secret yyyy
    configure tacacs secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
    configure tacacs secondary shared-secret yyyy
    enable tacacs

    configure tacacs-accounting primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
    configure tacacs-accounting primary shared-secret yyyy
    configure tacacs-accounting secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
    configure tacacs-accounting secondary shared-secret yyyy
    enable tacacs-accounting

    Thanks for your support


  • 2.  RE: About Tacacs authorization and authentication

    Posted 03-05-2018 08:31
    Hello,

    I don't see the line
    enable tacacs-authorization
    in your config. Could that be it?

    If you have that line, then I think you might lack the appropriate "allow commands" lines on the tacacs server configuration. Since you mention you're used to run Cisco, I'm assuming you're using Cisco's TACACS+ server (or whatever it's called), and I don't know much about that one.
    I'm using one of the open tacacs+ implementations, so my config will be different from yours.



  • 3.  RE: About Tacacs authorization and authentication

    Posted 03-06-2018 05:07
    Hello Frank,

    i did "enable tacacs-authorization" but its still not working... I dont know what can i do about that ? Thanks for reply


  • 4.  RE: About Tacacs authorization and authentication

    Posted 03-06-2018 09:22
    In that case I think there's something missing on the TACACS server.
    In my config the "can do everything" user has these entries:

    default service = permit
    service = shell {
    default command = permit
    default attribute = permit
    set priv-lvl = 15
    set cvp-roles="network-admin"
    }[/code]
    But I'm also not using cisco-tacacs, so your syntax might be different. I think the "set priv-lvl" and "cvp-roles" entries are not used by Extreme, they are for other devices. I don't think Extreme has the "priv-lvl" concept in the way that cisco has it.



  • 5.  RE: About Tacacs authorization and authentication

    Posted 03-06-2018 09:58
    Hi Frank,

    This script has worked and problem solved.. :)

    Thanks for your support.