topic RE: TACACS+ configuration in ExtremeSwitching (EXOS/Switch Engine)

TACACS+ configuration

Alexandr_P — Fri, 05 Dec 2014 21:55:00 GMT

Hello, colleagues!

Earlier was post about TACACS conf - https://community.extremenetworks.com/extreme/topics/tacacs_server_setting_admin_setting-f140e
But now I have question.
When I enable TACACS on switch, I can't login with TACACS account (is present in TACACS server with max priviledge)

Also question - is there possibility, for example, in VR-Default login on switch with TACACS account, in VR-MGMT login on switch with local account?

Thank you!

RE: TACACS+ configuration

Stephane_Grosj1 — Fri, 05 Dec 2014 22:56:00 GMT

Hi,

on the switch, I'd be expecting a config similar to this one:

sw1.1 # sh conf "aaa"
#
# Module aaa configuration.
#
configure tacacs primary server 192.168.56.2 49 client-ip 192.168.56.121 vr VR-Mgmt
configure tacacs primary shared-secret encrypted "ry{zfd"
enable tacacs
enable tacacs-authorization

On the TACACS+ server, I'd be expecting something similar to:

key = purple

##########################
#### Group Definition ####
##########################

group = admingroup {
default service = permit
service = exec {
priv-lvl = 15
}
}

group = readonly {
default service = deny
service = exec {
priv-lvl = 1
}
}

##########################
#### User Definition #####
##########################

user = stef {
member = admingroup
login = cleartext "extreme"
name = "Stephane"
}

user = bdx8 {
member = readonly
login = des “bT.YIz5L3PG3Y”
name = “BlackDiamond”
cmd = show {
deny ipconfig
deny tacacs
deny edp
}
}

RE: TACACS+ configuration

Drew_C — Fri, 05 Dec 2014 23:08:00 GMT

Hi Alexandr,
Are there any errors logged in the TACACS server or on the switch? In the past, I've done troubleshooting with Wireshark to watch the requests and responses to and from the server from the switch. That may help you see what is happening.

I'm not aware of any configuration to allow TACACS through VR-Default and local accounts on VR-MGMT.

RE: TACACS+ configuration

Alexandr_P — Sat, 06 Dec 2014 00:18:00 GMT

Hello, Drew! I can login to switch, but I have user's permissions ">", but in TACACS server this account have admin privileges "15" Thank you!

RE: TACACS+ configuration

Drew_C — Sat, 06 Dec 2014 00:18:00 GMT

Were you ever able to get this resolved?

RE: TACACS+ configuration

PARTHIBAN_CHINN — Sat, 06 Dec 2014 21:20:00 GMT

what is the username created in tacacs?
Could you paste the current account configuration alone from the exos switch.

RE: TACACS+ configuration

Stephane_Grosj1 — Sun, 07 Dec 2014 17:44:00 GMT

AlexandrP, with priv-lvl = 15 you must be logged as an admin "#". You must have a mistake in your TACACS+ user config.

The examples I gave above were for TACACS+ running on a Ubuntu server and are working. The "Stef" user has admin privileges, the "Blackdiamond" user has only read-only access (>) and some commands are unavailable (like "sh edp").

RE: TACACS+ configuration

Ironbox_Support — Sun, 11 Oct 2015 21:09:00 GMT

For configuring TACACS+ we have a "Front End" system if anyone wanted to try it and provide feedback. We also offer a free TACACS VM server. The link is http://ironboxnetworks.com/

Thanks.