This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- About Tacacs authorization and authentication
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
About Tacacs authorization and authentication
About Tacacs authorization and authentication
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-04-2018 10:19 AM
Hello,
We got demo Extreme network switch to our company for trying it. Actually we have all Cİsco switch and we manage them but we want to try extreme network switch.
We worked commands of Tacacs by demo extreme switch and i logged in with my username and password. But i cannot do nothing in the switch, i just readonly it. why ?
And you can see below about CİSCO command and EXTREME command. What's the different please help me about that ?
.
CİSCO:
tacacs-server host X.X.X.X key yyyy
tacacs-server host X.X.X.X key yyyy
tacacs-server directed-request
aaa new model
aaa authentication login use-tacacs group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec use-tacacs group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
EXTREME:
configure tacacs primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs primary shared-secret yyyy
configure tacacs secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs secondary shared-secret yyyy
enable tacacs
configure tacacs-accounting primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs-accounting primary shared-secret yyyy
configure tacacs-accounting secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs-accounting secondary shared-secret yyyy
enable tacacs-accounting
Thanks for your support
We got demo Extreme network switch to our company for trying it. Actually we have all Cİsco switch and we manage them but we want to try extreme network switch.
We worked commands of Tacacs by demo extreme switch and i logged in with my username and password. But i cannot do nothing in the switch, i just readonly it. why ?
And you can see below about CİSCO command and EXTREME command. What's the different please help me about that ?
.
CİSCO:
tacacs-server host X.X.X.X key yyyy
tacacs-server host X.X.X.X key yyyy
tacacs-server directed-request
aaa new model
aaa authentication login use-tacacs group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec use-tacacs group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
EXTREME:
configure tacacs primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs primary shared-secret yyyy
configure tacacs secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs secondary shared-secret yyyy
enable tacacs
configure tacacs-accounting primary server X.X.X.X client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs-accounting primary shared-secret yyyy
configure tacacs-accounting secondary server T.T.T.T client-ip Z.Z.Z.Z vr "VR-Default"
configure tacacs-accounting secondary shared-secret yyyy
enable tacacs-accounting
Thanks for your support
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-06-2018 09:58 AM
Hi Frank,
This script has worked and problem solved.. 🙂
Thanks for your support.
This script has worked and problem solved.. 🙂
Thanks for your support.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-06-2018 09:22 AM
In that case I think there's something missing on the TACACS server.
In my config the "can do everything" user has these entries:
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
set cvp-roles="network-admin"
}
But I'm also not using cisco-tacacs, so your syntax might be different. I think the "set priv-lvl" and "cvp-roles" entries are not used by Extreme, they are for other devices. I don't think Extreme has the "priv-lvl" concept in the way that cisco has it.
In my config the "can do everything" user has these entries:
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
set cvp-roles="network-admin"
}
But I'm also not using cisco-tacacs, so your syntax might be different. I think the "set priv-lvl" and "cvp-roles" entries are not used by Extreme, they are for other devices. I don't think Extreme has the "priv-lvl" concept in the way that cisco has it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-06-2018 05:07 AM
Hello Frank,
i did "enable tacacs-authorization" but its still not working... I dont know what can i do about that ? Thanks for reply
i did "enable tacacs-authorization" but its still not working... I dont know what can i do about that ? Thanks for reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
03-05-2018 08:31 AM
Hello,
I don't see the line
enable tacacs-authorization
in your config. Could that be it?
If you have that line, then I think you might lack the appropriate "allow commands" lines on the tacacs server configuration. Since you mention you're used to run Cisco, I'm assuming you're using Cisco's TACACS+ server (or whatever it's called), and I don't know much about that one.
I'm using one of the open tacacs+ implementations, so my config will be different from yours.
I don't see the line
enable tacacs-authorization
in your config. Could that be it?
If you have that line, then I think you might lack the appropriate "allow commands" lines on the tacacs server configuration. Since you mention you're used to run Cisco, I'm assuming you're using Cisco's TACACS+ server (or whatever it's called), and I don't know much about that one.
I'm using one of the open tacacs+ implementations, so my config will be different from yours.
