Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All
     

    Related Documentation

     

    Configuring CTPOS and CTPView User Authentication with TACACS+

    The TACACS+ protocol provides access control (authentication, authorization, and accounting services) for routers and network access servers through one or more centralized TACACS+ servers. Unlike RADIUS, TACACS+ provides separate handling of authentication, authorization, and accounting services. CTPOS and CTPView use only authentication and authorization services, and do not use the accounting service.

    CTP devices act as TACACS+ clients, which send request for authentication and authorization from the centralized TACACS+ servers that have separate user databases for CTPOS CLI users, CTPView CLI users, and CTPView Web UI users.

    TACACS+ is supported only on CTPOS Release 6.4 and later and CTPView Release 4.4 and later. In earlier releases, RADIUS is used for remote authentication and authorization. Effective from CTPOS Release 6.4 and CTPView Release 4.4, both RADIUS and TACACS+ are supported.

    CTP uses TACACS+ authentication to authenticate users based on the login credentials that are configured on the centralized TACACS+ servers and provides the privileges to the TACACS+ clients. The user is logged in to the device with the privileges that TACACS+ server returns after successful authentication and authorization.

    Configuring TACACS+ Settings from the CTPView Server

    You can configure TACACS+ for CTPView CLI and CTPView HTTPS users only from CTPView menu. You cannot enable both RADIUS and TACACS+ at the same time. You can enable TACACS+ only after disabling RADIUS.

    To configure TACACS+ settings on the CTPView server:

    1. From the AAA Menu, select 2) SSH(2nd) - RADIUS/RSA > 2) TACACS+.

      The current status of TACACS+ is displayed.

      Currently, SSH – TACACS+ is set to Disabled.
      
      Please choose a menu item from the following list:
      0) Return to previous menu
      1) Enable
      2) Disable
      Enter your selection for SSH – TACACS+
      Please input an integer between 0 and 2 [0]:
    2. Select 1) Enable to enable TACACS+.
      Please choose a menu item from the following list:
      0) Return to previous menu
      1) RADIUS/RSA: Disabled
      2) TACACS+: Enabled
      Please input your choice [0]:
    3. Return to the AAA Menu, and select 9) TACACS+ Configuration > 1) Servers to configure the TACACS+ servers.
    4. Follow the onscreen instructions and configure the parameters as described in
      Table 1.

      Table 1: TACACS+ Settings for CTPView Server

      Field

      Function

      Your Action

      Servers

      You can configure up to 10 TACACS+ servers each for CTPOS and CTPView users for authentication and authorization.

      The CTP device tries to authenticate the user from the first server in the list. If the first server is unavailable or fails to authenticate, then it tries to authenticate from the second server in the list, and so on.

      Authorization is done on the server that successfully authenticates the user.

      Enter the IP address of the server and specify the shared secret.

      Shared secret is the secret key used to encrypt and decrypt packets that are sent and received from the server. The same secret key is used to encrypt and decrypt packets that are sent to and received from the TACACS+ clients.

      Destination Port

      TACACS+ uses the TCP port for sending and receiving data.

      Port 49 is reserved for TACACS+ and is the default port.

      Enter the destination port number.

      Timeout

      Time in seconds that the TACACS+ client should wait for a response from the TACACS+ server after sending the authentication and authorization request. Timeout value applies to all the TACACS+ servers that are configured.

      The default timeout value is 5 seconds.

      Specify a value in the range 1–60.

      Off-Line-Failover

      You can use the local authentication credentials if the configured TACACS+ servers are unavailable or no response is received from the TACACS+ servers.

      The default option is Allowed to Loc Acct.

      Select one.

      • Not Allowed
      • Allowed to Loc Acct

      Reject-Failover

      You can use the local authentication credentials if the TACACS+ server rejects the attempt to authenticate.

      The default option is Allowed to Loc Acct.

      Select one.

      • Not Allowed
      • Allowed to Loc Acct
    5. From the TACACS+ Menu, select 6) Initialize Web UI Template Accounts.
    6. Enter the MySQL administrator account password when prompted.

      The required template accounts are added to CTPView. These accounts are not configurable. This step is performed as part of the initial configuration of CTPView as a TACACS+ client. However, repeating this step has no detrimental effect on the TACACS+ configuration.

    Configuring TACACS+ Settings from the CTPView Web Interface

    You can configure TACACS+ for CTPOS users from the CTPView web interface.

    To configure TACACS+ from the CTPView web interface:

    1. In the side pane, select System > Configuration.
    2. Click Node Settings > TACACS+ Settings tab.

      The TACACS+ Settings page is displayed.

    3. Configure the parameters described in Table 2 and click Submit Settings.
    4. (Optional) Click System > Query > Node Settings to verify the TACACS+ configuration details.

      Table 2: TACACS+ Settings for the CTPView Web Interface

      Field

      Function

      Your Action

      Status

      Specifies whether TACACS+ is enabled or disabled.

      TACACS+ is disabled by default.

      Select one.

      • Enabled
      • Disabled

      Dest Port

      TACACS+ uses the TCP port for sending and receiving data.

      Port 49 is reserved for TACACS+ and is the default port.

      Enter the destination port number.

      Timeout

      Time in seconds that the TACACS+ client should wait for a response from the TACACS+ server after sending the authentication and authorization request. Timeout value applies to all the TACACS+ servers that are configured.

      The default timeout value is 5 seconds.

      Specify a value.

      Off-Line-Failover

      You can use the local authentication credentials if the configured TACACS+ servers are unavailable or no response is received from the TACACS+ servers.

      The default option is Allowed to Loc Acct.

      Select one.

      • Not Allowed
      • Allowed to Loc Acct

      Reject-Failover

      You can use the local authentication credentials if the TACACS+ server rejects the attempt to authenticate.

      The default option is Allowed to Loc Acct.

      Select one.

      • Not Allowed
      • Allowed to Loc Acct

      Servers

      You can configure up to 10 TACACS+ servers each for CTPOS and CTPView users for authentication and authorization.

      CTP tries to authenticate the user from the first server in the list. If the first server is unavailable or fails to authenticate, then it tries to authenticate from the second server in the list, and so on.

      Authorization is done on the server that successfully authenticates the user.

      Enter the IP address of the server, and specify a shared secret.

      Shared Secret

      Shared secret is the secret key that TACACS+ servers use to encrypt and decrypt packets that are sent and received from the server. TACACS+ clients use the same secret key to encrypt and decrypt packets.

      Specify the shared secret.

     

    Related Documentation

     

    Modified: 2015-11-23