TACACS+ configuration

  • 0
  • 2
  • Question
  • Updated 3 years ago
  • Answered
Hello, colleagues!

Earlier was post about TACACS conf - https://community.extremenetworks.com/extreme/topics/tacacs_server_setting_admin_setting-f140e
But now I have question.
When I enable TACACS on switch, I can't login with TACACS account (is present in TACACS server with max priviledge)

Also question - is there possibility, for example, in VR-Default login on switch with TACACS account, in VR-MGMT login on switch with local account?

Thank you!
Photo of Alexandr P

Alexandr P, Embassador

  • 12,742 Points 10k badge 2x thumb

Posted 4 years ago

  • 0
  • 2
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 13,676 Points 10k badge 2x thumb
Hi,

on the switch, I'd be expecting a config similar to this one:

sw1.1 # sh conf "aaa"
#
# Module aaa configuration.
#
configure tacacs primary server 192.168.56.2 49 client-ip 192.168.56.121 vr VR-Mgmt
configure tacacs primary shared-secret encrypted "ry{zfd"
enable tacacs
enable tacacs-authorization

On the TACACS+ server, I'd be expecting something similar to:

key = purple

##########################
#### Group Definition ####
##########################

group = admingroup {
    default service = permit
    service = exec {
        priv-lvl = 15
    }
}

group = readonly {
    default service = deny
    service = exec {
        priv-lvl = 1
    }
}


##########################
#### User Definition #####
##########################

user = stef {
    member = admingroup
    login = cleartext "extreme"
    name = "Stephane"
}

user = bdx8 {
    member = readonly
    login = des “bT.YIz5L3PG3Y”
    name = “BlackDiamond”
    cmd = show {
        deny ipconfig
        deny tacacs
        deny edp
    }
}
Photo of Drew C.

Drew C., Community Manager

  • 40,686 Points 20k badge 2x thumb
Hi Alexandr,
Are there any errors logged in the TACACS server or on the switch?  In the past, I've done troubleshooting with Wireshark to watch the requests and responses to and from the server from the switch.  That may help you see what is happening.

I'm not aware of any configuration to allow TACACS through VR-Default and local accounts on VR-MGMT.
Photo of Alexandr P

Alexandr P, Embassador

  • 12,742 Points 10k badge 2x thumb
Hello, Drew!

I can login to switch, but I have user's permissions ">", but in TACACS server this account have admin privileges "15"

Thank you!
Photo of Drew C.

Drew C., Community Manager

  • 40,684 Points 20k badge 2x thumb
Were you ever able to get this resolved?
Photo of PARTHIBAN CHINNAYA

PARTHIBAN CHINNAYA, Alum

  • 4,382 Points 4k badge 2x thumb
what is the username created in tacacs?
Could you paste the current account configuration alone from the exos switch.
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 13,676 Points 10k badge 2x thumb
AlexandrP, with priv-lvl = 15 you must be logged as an admin "#". You must have a mistake in your TACACS+ user config.

The examples I gave above were for TACACS+ running on a Ubuntu server and are working. The "Stef" user has admin privileges, the "Blackdiamond" user has only read-only access (>) and some commands are unavailable (like "sh edp").
Photo of Ironbox Support

Ironbox Support

  • 60 Points
For configuring TACACS+ we have a "Front End" system if anyone wanted to try it and provide feedback.   We also offer a free TACACS VM server.  The link is http://ironboxnetworks.com/

Thanks.