TACACS+ configuration


Userlevel 6
Hello, colleagues!

Earlier was post about TACACS conf - https://community.extremenetworks.com/extreme/topics/tacacs_server_setting_admin_setting-f140e
But now I have question.
When I enable TACACS on switch, I can't login with TACACS account (is present in TACACS server with max priviledge)

Also question - is there possibility, for example, in VR-Default login on switch with TACACS account, in VR-MGMT login on switch with local account?

Thank you!

7 replies

Userlevel 7
Hi,

on the switch, I'd be expecting a config similar to this one:

sw1.1 # sh conf "aaa"
#
# Module aaa configuration.
#
configure tacacs primary server 192.168.56.2 49 client-ip 192.168.56.121 vr VR-Mgmt
configure tacacs primary shared-secret encrypted "ry{zfd"
enable tacacs
enable tacacs-authorization

On the TACACS+ server, I'd be expecting something similar to:

key = purple

##########################
#### Group Definition ####
##########################

group = admingroup {
default service = permit
service = exec {
priv-lvl = 15
}
}

group = readonly {
default service = deny
service = exec {
priv-lvl = 1
}
}

##########################
#### User Definition #####
##########################

user = stef {
member = admingroup
login = cleartext "extreme"
name = "Stephane"
}

user = bdx8 {
member = readonly
login = des “bT.YIz5L3PG3Y”
name = “BlackDiamond”
cmd = show {
deny ipconfig
deny tacacs
deny edp
}
}
Userlevel 7
Hi Alexandr,
Are there any errors logged in the TACACS server or on the switch? In the past, I've done troubleshooting with Wireshark to watch the requests and responses to and from the server from the switch. That may help you see what is happening.

I'm not aware of any configuration to allow TACACS through VR-Default and local accounts on VR-MGMT.
Userlevel 6
Hello, Drew! I can login to switch, but I have user's permissions ">", but in TACACS server this account have admin privileges "15" Thank you!
Userlevel 7
Alexandr P wrote:

Hello, Drew! I can login to switch, but I have user's permissions ">", but in TACACS server this account have admin privileges "15" Thank you!

Were you ever able to get this resolved?
Userlevel 4
what is the username created in tacacs?
Could you paste the current account configuration alone from the exos switch.
Userlevel 7
AlexandrP, with priv-lvl = 15 you must be logged as an admin "#". You must have a mistake in your TACACS+ user config.

The examples I gave above were for TACACS+ running on a Ubuntu server and are working. The "Stef" user has admin privileges, the "Blackdiamond" user has only read-only access (>) and some commands are unavailable (like "sh edp").
For configuring TACACS+ we have a "Front End" system if anyone wanted to try it and provide feedback. We also offer a free TACACS VM server. The link is http://ironboxnetworks.com/

Thanks.

Reply