About Tacacs authorization and authentication
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-04-2018 10:19 AM
Hello,
We got demo Extreme network switch to our company for trying it. Actually we have all CÄ°sco switch and we manage them but we want to try extreme network switch.
We worked commands of Tacacs by demo extreme switch and i logged in with my username and password. But i cannot do nothing in the switch, i just readonly it. why ?
And you can see below about CÄ°SCO command and EXTREME command. What's the different please help me about that ?
.
CÄ°SCO:
tacacs-server host X.X.X.X key yyyy
tacacs-server host X.X.X.X key yyyy
tacacs-server directed-request
aaa new model
aaa authentication login use-tacacs group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec use-tacacs group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
EXTREME:
configure tacacs primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs primary shared-secret yyyy
configure tacacs secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs secondary shared-secret yyyy
enable tacacs
configure tacacs-accounting primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs-accounting primary shared-secret yyyy
configure tacacs-accounting secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs-accounting secondary shared-secret yyyy
enable tacacs-accounting
Thanks for your support
We got demo Extreme network switch to our company for trying it. Actually we have all CÄ°sco switch and we manage them but we want to try extreme network switch.
We worked commands of Tacacs by demo extreme switch and i logged in with my username and password. But i cannot do nothing in the switch, i just readonly it. why ?
And you can see below about CÄ°SCO command and EXTREME command. What's the different please help me about that ?
.
CÄ°SCO:
tacacs-server host X.X.X.X key yyyy
tacacs-server host X.X.X.X key yyyy
tacacs-server directed-request
aaa new model
aaa authentication login use-tacacs group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec use-tacacs group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
EXTREME:
configure tacacs primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs primary shared-secret yyyy
configure tacacs secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs secondary shared-secret yyyy
enable tacacs
configure tacacs-accounting primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs-accounting primary shared-secret yyyy
configure tacacs-accounting secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs-accounting secondary shared-secret yyyy
enable tacacs-accounting
Thanks for your support
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-06-2018 09:58 AM
Hi Frank,
This script has worked and problem solved.. 🙂
Thanks for your support.
This script has worked and problem solved.. 🙂
Thanks for your support.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-06-2018 09:22 AM
In that case I think there's something missing on the TACACS server.
In my config the "can do everything" user has these entries:
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
set cvp-roles="network-admin"
}
But I'm also not using cisco-tacacs, so your syntax might be different. I think the "set priv-lvl" and "cvp-roles" entries are not used by Extreme, they are for other devices. I don't think Extreme has the "priv-lvl" concept in the way that cisco has it.
In my config the "can do everything" user has these entries:
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
set cvp-roles="network-admin"
}
But I'm also not using cisco-tacacs, so your syntax might be different. I think the "set priv-lvl" and "cvp-roles" entries are not used by Extreme, they are for other devices. I don't think Extreme has the "priv-lvl" concept in the way that cisco has it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-06-2018 05:07 AM
Hello Frank,
i did "enable tacacs-authorization" but its still not working... I dont know what can i do about that ? Thanks for reply
i did "enable tacacs-authorization" but its still not working... I dont know what can i do about that ? Thanks for reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-05-2018 08:31 AM
Hello,
I don't see the line
enable tacacs-authorization
in your config. Could that be it?
If you have that line, then I think you might lack the appropriate "allow commands" lines on the tacacs server configuration. Since you mention you're used to run Cisco, I'm assuming you're using Cisco's TACACS+ server (or whatever it's called), and I don't know much about that one.
I'm using one of the open tacacs+ implementations, so my config will be different from yours.
I don't see the line
enable tacacs-authorization
in your config. Could that be it?
If you have that line, then I think you might lack the appropriate "allow commands" lines on the tacacs server configuration. Since you mention you're used to run Cisco, I'm assuming you're using Cisco's TACACS+ server (or whatever it's called), and I don't know much about that one.
I'm using one of the open tacacs+ implementations, so my config will be different from yours.
