About Tacacs authorization and authentication

  • 0
  • 1
  • Problem
  • Updated 8 months ago
  • Solved
Hello,

We got demo Extreme network switch to our company for trying it. Actually we have all Cİsco switch and we manage them but we want to try extreme network switch. 

We worked commands of Tacacs by demo extreme switch and i logged in with my username and password. But i cannot do nothing in the switch, i just readonly it. why ?

And you can see below about CİSCO command and EXTREME command. What's the different please help me about that ?
.
CİSCO:

tacacs-server host X.X.X.X key yyyy
tacacs-server host X.X.X.X key yyyy
tacacs-server directed-request

aaa new model
aaa authentication login use-tacacs group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec use-tacacs group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

EXTREME:

configure tacacs primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs primary shared-secret yyyy
configure tacacs secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs secondary shared-secret yyyy
enable tacacs


configure tacacs-accounting primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs-accounting primary shared-secret yyyy
configure tacacs-accounting secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs-accounting secondary shared-secret yyyy
enable tacacs-accounting



Thanks for your support
Photo of Nusraddin

Nusraddin

  • 130 Points 100 badge 2x thumb

Posted 8 months ago

  • 0
  • 1
Photo of Frank

Frank

  • 3,806 Points 3k badge 2x thumb
Hello,

I don't see the line
   enable tacacs-authorization
in your config. Could that be it?

If you have that line, then I think you might lack the appropriate "allow commands" lines on the tacacs server configuration. Since you mention you're used to run Cisco, I'm assuming you're using Cisco's TACACS+ server (or whatever it's called), and I don't know much about that one.
I'm using one of the open tacacs+ implementations, so my config will be different from yours.
Photo of Nusraddin

Nusraddin

  • 130 Points 100 badge 2x thumb
Hello Frank,

i did "enable tacacs-authorization" but its still not working... I dont know what can i do about that ? Thanks for reply
Photo of Frank

Frank

  • 3,806 Points 3k badge 2x thumb
In that case I think there's something missing on the TACACS server.
In my config the "can do everything" user has these entries:

        default service = permit
        service = shell {
               default command = permit
                default attribute = permit
                set priv-lvl = 15
                set cvp-roles="network-admin"
        }
 
But I'm also not using cisco-tacacs, so your syntax might be different. I think the "set priv-lvl" and "cvp-roles" entries are not used by Extreme, they are for other devices. I don't think Extreme has the "priv-lvl" concept in the way that cisco has it.
Photo of Nusraddin

Nusraddin

  • 130 Points 100 badge 2x thumb
Hi Frank,

This script has worked and problem solved..  :)

Thanks for your support.