TACACS+ configuration
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-05-2014 01:55 PM
Hello, colleagues!
Earlier was post about TACACS conf - https://community.extremenetworks.com/extreme/topics/tacacs_server_setting_admin_setting-f140e
But now I have question.
When I enable TACACS on switch, I can't login with TACACS account (is present in TACACS server with max priviledge)
Also question - is there possibility, for example, in VR-Default login on switch with TACACS account, in VR-MGMT login on switch with local account?
Thank you!
Earlier was post about TACACS conf - https://community.extremenetworks.com/extreme/topics/tacacs_server_setting_admin_setting-f140e
But now I have question.
When I enable TACACS on switch, I can't login with TACACS account (is present in TACACS server with max priviledge)
Also question - is there possibility, for example, in VR-Default login on switch with TACACS account, in VR-MGMT login on switch with local account?
Thank you!
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-05-2014 04:18 PM
Were you ever able to get this resolved?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-05-2014 03:08 PM
Hi Alexandr,
Are there any errors logged in the TACACS server or on the switch? In the past, I've done troubleshooting with Wireshark to watch the requests and responses to and from the server from the switch. That may help you see what is happening.
I'm not aware of any configuration to allow TACACS through VR-Default and local accounts on VR-MGMT.
Are there any errors logged in the TACACS server or on the switch? In the past, I've done troubleshooting with Wireshark to watch the requests and responses to and from the server from the switch. That may help you see what is happening.
I'm not aware of any configuration to allow TACACS through VR-Default and local accounts on VR-MGMT.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
12-05-2014 02:56 PM
Hi,
on the switch, I'd be expecting a config similar to this one:
sw1.1 # sh conf "aaa"
#
# Module aaa configuration.
#
configure tacacs primary server 192.168.56.2 49 client-ip 192.168.56.121 vr VR-Mgmt
configure tacacs primary shared-secret encrypted "ry{zfd"
enable tacacs
enable tacacs-authorization
On the TACACS+ server, I'd be expecting something similar to:
key = purple
##########################
#### Group Definition ####
##########################
group = admingroup {
default service = permit
service = exec {
priv-lvl = 15
}
}
group = readonly {
default service = deny
service = exec {
priv-lvl = 1
}
}
##########################
#### User Definition #####
##########################
user = stef {
member = admingroup
login = cleartext "extreme"
name = "Stephane"
}
user = bdx8 {
member = readonly
login = des “bT.YIz5L3PG3Y”
name = “BlackDiamond”
cmd = show {
deny ipconfig
deny tacacs
deny edp
}
}
on the switch, I'd be expecting a config similar to this one:
sw1.1 # sh conf "aaa"
#
# Module aaa configuration.
#
configure tacacs primary server 192.168.56.2 49 client-ip 192.168.56.121 vr VR-Mgmt
configure tacacs primary shared-secret encrypted "ry{zfd"
enable tacacs
enable tacacs-authorization
On the TACACS+ server, I'd be expecting something similar to:
key = purple
##########################
#### Group Definition ####
##########################
group = admingroup {
default service = permit
service = exec {
priv-lvl = 15
}
}
group = readonly {
default service = deny
service = exec {
priv-lvl = 1
}
}
##########################
#### User Definition #####
##########################
user = stef {
member = admingroup
login = cleartext "extreme"
name = "Stephane"
}
user = bdx8 {
member = readonly
login = des “bT.YIz5L3PG3Y”
name = “BlackDiamond”
cmd = show {
deny ipconfig
deny tacacs
deny edp
}
}
