Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring the TACACS+ Server

    When installed on a server that uses the CentOS operating system, CTPview allows the TACACS+ authenticated user to log in through SSH and HTTPS.

    Users are authenticated in the following order:

    • By the TACACS+ server
    • By the local user account

    You can add the same user to the TACACS+ server and the local CTPView system.

    Configuring the TACACS+ Server’s Configuration Files

    You can use any TACACS+ server that complies with the TACACs+ RFC "The TACACs+ Protocol" (January 1997). You can download the TACACs+ server that we refer to here (v1.2) from the TACACs.net website at http://tacacs.net/download.asp. This version contains four configuration files. To modify the configuration files, you must log in to the TACACs+ server as an administrator.

    • Authentication.xml—Modify this file to add a new user on the TACACS+ server. To add a new user, you must a add new user group and the user under the <UserGroups> tag.
      <UserGroups>
      <UserGroup>
      <Name>TACACS_User1</Name>
      <AuthenticationType>File</AuthenticationType>
      <Users>
      <User>
      <Name> TACACS_User1</Name>
      <LoginPassword ClearText="PASSWORD" DES="">
      </LoginPassword>
      <EnablePassword ClearText="" DES=""></EnablePassword>
      <CHAPPassword ClearText="" DES=""> </CHAPPassword>
      <OutboundPassword ClearText="" DES="">
      </OutboundPassword>
      </User>
      </Users>
      </UserGroup>
      </UserGroups>
    • Authorization.xml—Modify this file to define the authorization level for the user. To define authorization levels, you must add the user group added in Authentication.xml file to this file under the <Authorization> tag.
      <Authorization>
      <UserGroups>
      <UserGroup>TACACS_User1</UserGroup>
      </UserGroups>
      <Services>
      <Service>
      <Set>service=juniper_ctp_srvc</Set>
      <Set>protocol=unknown</Set>
      <Set>juniper_ctpview_https=1</Set>
      </Service>
      </Services>
      </Authorization>

      The CTP device uses the juniper_ctp_srvc service to access TACACS+ . This service is used only to access TACACS+ and cannot be changed in the Authorization.xml file.

      To define the authorization level, you can assign a user to any or all of the following groups:

      • CTP Device CLI–SSH
      • CTPView CLI–SSH
      • CTPView Web–HTTPS

      The level of authorization for each user is specified in the <Set> tag under the <Service> tag.

      Use the attributes and values shown in Table 1 for HTTPS access to CTPView.

      Table 1: Attributes and Values for HTTPS Access

      Attribute

      Value

      Global_Admin

      juniper_ctpview_https=1

      Net_Admin

      juniper_ctpview_https=2

      Net_View

      juniper_ctpview_https=3

      Net_Diag

      juniper_ctpview_https=4

      Use the attributes and values shown in Table 2 for SSH access to CTPView.

      Table 2: Attributes and Values for SSH Access to CTPView

      Attribute

      Value

      Web Manager

      juniper_ctpview_cli=1

      System Admin

      juniper_ctpview_cli=2

      Auditor

      juniper_ctpview_cli=3

      Use the attributes and values shown in Table 3 for SSH access to CTP devices.

      Table 3: Attributes and Values for SSH Access to CTP Devices

      Attribute

      Value

      Read_Only

      juniper_ctp_cli=1

      Admin

      juniper_ctp_cli=2

      Privileged_admin

      juniper_ctp_cli=3

      Auditor

      juniper_ctp_cli=4

      On the TACAS+ server, you can also modify these files:

    • Clients.xml—Modify this file to add the secret key and the domains that can use the TACACS+ server.
    • Tacplus.xml—Modify this file to add the remote port number and the IPV4 or IPv6 addresses assigned to the TACACS+ server.
      <Port>49</Port>
      <LocalIP>Write your TACACS+ machine’s IP here</LocalIP>

      Modify the parameters specified in Table 4 if required.

      Table 4: Attributes for Configuring Tacplus.xml File

      Parameter

      Function

      Port

      The default port number is 49.

      LocalIP

      Specify the IP address of the TACACS+ server. You can enter an IPV4 or IPV6 address.

      Before you enter an IPv6 address, ensure that both the TACACS+ server and CTPView server or the CTP device supports IPV6.

    Modified: 2015-10-15