Header Only - DO NOT REMOVE - Extreme Networks

About Tacacs authorization and authentication


Hello,

We got demo Extreme network switch to our company for trying it. Actually we have all Cİsco switch and we manage them but we want to try extreme network switch.

We worked commands of Tacacs by demo extreme switch and i logged in with my username and password. But i cannot do nothing in the switch, i just readonly it. why ?

And you can see below about CİSCO command and EXTREME command. What's the different please help me about that ?
.
CİSCO:

tacacs-server host X.X.X.X key yyyy
tacacs-server host X.X.X.X key yyyy
tacacs-server directed-request

aaa new model
aaa authentication login use-tacacs group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec use-tacacs group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

EXTREME:

configure tacacs primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs primary shared-secret yyyy
configure tacacs secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs secondary shared-secret yyyy
enable tacacs

configure tacacs-accounting primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs-accounting primary shared-secret yyyy
configure tacacs-accounting secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs-accounting secondary shared-secret yyyy
enable tacacs-accounting

Thanks for your support

4 replies

Userlevel 5
Hello,

I don't see the line
enable tacacs-authorization
in your config. Could that be it?

If you have that line, then I think you might lack the appropriate "allow commands" lines on the tacacs server configuration. Since you mention you're used to run Cisco, I'm assuming you're using Cisco's TACACS+ server (or whatever it's called), and I don't know much about that one.
I'm using one of the open tacacs+ implementations, so my config will be different from yours.
Hello Frank,

i did "enable tacacs-authorization" but its still not working... I dont know what can i do about that ? Thanks for reply
Userlevel 5
In that case I think there's something missing on the TACACS server.
In my config the "can do everything" user has these entries:

default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
set cvp-roles="network-admin"
}[/code]
But I'm also not using cisco-tacacs, so your syntax might be different. I think the "set priv-lvl" and "cvp-roles" entries are not used by Extreme, they are for other devices. I don't think Extreme has the "priv-lvl" concept in the way that cisco has it.
Hi Frank,

This script has worked and problem solved.. 🙂

Thanks for your support.

Reply