topic About Tacacs authorization and authentication in ExtremeSwitching (EXOS/Switch Engine)

About Tacacs authorization and authentication

Nusraddin — Sun, 04 Mar 2018 18:19:00 GMT

Hello,

We got demo Extreme network switch to our company for trying it. Actually we have all Cİsco switch and we manage them but we want to try extreme network switch.

We worked commands of Tacacs by demo extreme switch and i logged in with my username and password. But i cannot do nothing in the switch, i just readonly it. why ?

And you can see below about CİSCO command and EXTREME command. What's the different please help me about that ?
.
CİSCO:

tacacs-server host X.X.X.X key yyyy
tacacs-server host X.X.X.X key yyyy
tacacs-server directed-request

aaa new model
aaa authentication login use-tacacs group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec use-tacacs group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

EXTREME:

configure tacacs primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs primary shared-secret yyyy
configure tacacs secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs secondary shared-secret yyyy
enable tacacs

configure tacacs-accounting primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs-accounting primary shared-secret yyyy
configure tacacs-accounting secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs-accounting secondary shared-secret yyyy
enable tacacs-accounting

Thanks for your support

RE: About Tacacs authorization and authentication

Frank — Mon, 05 Mar 2018 16:31:00 GMT

Hello,

I don't see the line
enable tacacs-authorization
in your config. Could that be it?

If you have that line, then I think you might lack the appropriate "allow commands" lines on the tacacs server configuration. Since you mention you're used to run Cisco, I'm assuming you're using Cisco's TACACS+ server (or whatever it's called), and I don't know much about that one.
I'm using one of the open tacacs+ implementations, so my config will be different from yours.

RE: About Tacacs authorization and authentication

Nusraddin — Tue, 06 Mar 2018 13:07:00 GMT

Hello Frank,

i did "enable tacacs-authorization" but its still not working... I dont know what can i do about that ? Thanks for reply

RE: About Tacacs authorization and authentication

Frank — Tue, 06 Mar 2018 17:22:00 GMT

In that case I think there's something missing on the TACACS server.
In my config the "can do everything" user has these entries:

default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
set cvp-roles="network-admin"
}
But I'm also not using cisco-tacacs, so your syntax might be different. I think the "set priv-lvl" and "cvp-roles" entries are not used by Extreme, they are for other devices. I don't think Extreme has the "priv-lvl" concept in the way that cisco has it.

RE: About Tacacs authorization and authentication

Nusraddin — Tue, 06 Mar 2018 17:58:00 GMT

Hi Frank,

This script has worked and problem solved.. 🙂

Thanks for your support.

Re: RE: About Tacacs authorization and authentication

Mike84 — Tue, 19 Sep 2023 08:15:36 GMT

Hi Frank,

I am using the open tacacs+ implementation (tac_plus) too. I configured it as you showed within this thread but unfortunately it is not working for our Extreme switches running EXOS, they are always logging with user/exec level instead of admin/privileged level. Do you have any hint for me how to debug/solve this?