Configuring TACACS+
You can configure TACACS+ services on a switch by using the aaa-tacacs-create command.
CLI (network-admin@switch) > aaa-tacacs-create
name name-string |
Specify the name for TACACS+ configuration. |
scope local|fabric |
Specify the scope of TACACS+ configuration. |
server server-string |
Specify the TACACS+ server name. |
Specify one of more of the following options: |
|
port port-number |
Specify the TACACS+ communication port. |
secret secret-string |
Specify the shared secret for TACACS+. |
timeout timeout-number |
Specify the number of seconds before communication times out. |
priority priority-number |
Specify the priority for TACACs+. |
authen|no-authen |
Specify to enable or disable authentication. |
[authen-local|no-authen-local] |
Specify if the authentication overrides local users. The no-authen-local parameter overrides local users and gives them access while authen-local prevents local users from logging in. |
[authen-method pap|chap] |
Specify one among the authentication methods: PAP or CHAP (default). |
[sess-acct|no-sess-acct] |
Specify to enable or disable session accounting. |
[cmd-acct|no-cmd-acct] |
Specify to enable or disable command accounting. |
[acct-local|no-acct-local] |
Specify to enable or disable accounting for local users. |
[sess-author|no-sess-author] |
Specify to enable or disable session authorization. |
[cmd-author|no-cmd-author] |
Specify to enable or disable command authorization. |
[author-local|no-author-local] |
Specify to enable or disable authorization for local users. |
[service service-string] |
Specify the service name used for TACACS+ requests sent from Netvisor ONE to the TACACS+ server for commands run at the Netvisor CLI and REST APIs. The default service is shell. |
[service-shell service-shell-string] |
Specify the TACACS+ service name string for shell commands. |
[service-vtysh service-vtysh-string] |
Specify the TACACS+ service name string for vtysh commands. |
The parameter authen-local controls if a TACACS+ server is used to authenticate local accounts or not. To allow an account to authenticate locally without relying on the TACACS+ server, you must configure all active TACACS+ instances with no-authen-local option. The local accounts include the accounts configured by using the commands user-create and user-modify, and the accounts such as admin and pluribus. Logins for both these types of accounts are disabled if a TACACS+ server is configured with the authen-local option.
Netvisor ONE tracks errors between itself and the TACACS+ server and if a communication error occurs, local authentication is allowed until communication with the TACACS+ server is re-estalished. Local authentication is allowed after three failed attempts to reach the TACACS+ server. This enables the recovery of the system if TACACS+ is unreachable.
To create a TACACS+ account named tac having local scope with no local authentication privilege, use the command:
CLI (network-admin@switch) > aaa-tacacs-create name tac scope local server appliance.pluribusnetworks.com authen-local
To create a secret key, use the command:
CLI (network-admin@switch) > aaa-tacacs-modify secret name tac
shared secret:
confirm shared secret:
CLI (network-admin@switch) >
To modify the configuration and to allow local authentication, use the command:
CLI (network-admin@switch) > aaa-tacacs-modify name tac no-authen-local
Use the parameters author-local and acct-local to configure for locally authenticated accounts the sending of authorization and accounting messages to the TACACS+ server. For example:
CLI (network-admin@switch) > aaa-tacacs-modify name tac author-local acct-local
The vtysh command is used to display FRR information from the CLI. To use the vtysh command, you must first enter the shell prompt.
To specify the service for authorization and accounting messages for shell and vtysh commands, use the commands:
CLI (network-admin@switch) > aaa-tacacs-modify name tac service-shell unix-shell
CLI (network-admin@switch) > aaa-tacacs-modify name tac service-vtysh vtysh-shell
If service-shell or service-vtysh is not specified, then the value specified under the service option is used.
For example, if a service or service-shell is not specified, the default service, that is, shell will be used for authorization and accounting of shell and vtysh commands.
To view the configuration, use the command:
CLI (network-admin@switch) > aaa-tacacs-show
name scope server port timeout priority authen authen-local authen-method sess-acct cmd-acct acct-local sess-author cmd-author author-local service service-shell service-vtysh
---- ----- ------------------------------ ---- ------- -------- ------ ------------ ------------- --------- -------- ---------- ----------- ---------- ------------ ------- ------------- -------------
tac local appliance.pluribusnetworks.com 49 10 1 on off chap on off off on off on shell unix-shell vtysh-shell
To delete a specific TACACS+ configuration, use the aaa-tacacs-delete command:
CLI (network-admin@switch) > aaa-tacacs-delete name <name-string>
To display the status of the TACACS+ server, use the aaa-tacacs-status command:
CLI (network-admin@switch) > aaa-tacacs-status name tac
name server port priority status
---- ------------------------------ ---- -------- ------
tac appliance.pluribusnetworks.com 49 1 up
Note :
- The default network-admin account is exempt from all TACACS+ configuration as a fail-safe account for network designs without a TACACS+ server and also to allow access to Pluribus Networks facilities if TACACS+ is unavailable or unreachable.
- The pluribus account password is the same as the network-admin password and when the network-admin password is changed, the pluribus account password also changes. The login shell for the pluribus account is nvauditsh.
- The admin account requires a code from Pluribus Networks Customer Advocacy to login. Because you can access the shell through the CLI, the admin account is rarely needed. The login shell for the admin account is adminsh.
- The adminsh shell uses nvauditsh to enable auditing for commands run from the admin account.
When the TACACS+ server is configured with the authen-local option and is working correctly:
- Local users such as admin or pluribus are not allowed to login.
- Local users configured by using the user-create or user-modify commands are not allowed to login.
- Authorization and Accounting for shell commands are enabled.
- Authorization and Accounting for FRR commands are enabled.
- You can switch to the shell prompt from the CLI if the user role has the permission to do so.
You can exempt the desired CLI, shell, or vtysh commands from authorization and accounting by using the log-audit-exception-create command. For more information, see Configuring Audit Logging section of the Configuring Network Management and Monitoring chapter.