Configuring the TACACS+ Server
When installed on a server that uses the CentOS operating system, CTPview allows the TACACS+ authenticated user to log in through SSH and HTTPS.
Users are authenticated in the following order:
By the TACACS+ server
By the local user account
You can add the same user to the TACACS+ server and the local CTPView system.
Configuring the TACACS+ Server’s Configuration Files
You can use any TACACS+ server that complies with the TACACs+ RFC "The TACACs+ Protocol" (January 1997). You can download the TACACs+ server that we refer to here (v1.2) from the TACACs.net website at http://tacacs.net/download.asp. This version contains four configuration files. To modify the configuration files, you must log in to the TACACs+ server as an administrator.
Authentication.xml—Modify this file to add a new user on the TACACS+ server. To add a new user, you must a add new user group and the user under the <UserGroups> tag.
<UserGroups> <UserGroup> <Name>TACACS_User1</Name> <AuthenticationType>File</AuthenticationType> <Users> <User> <Name> TACACS_User1</Name> <LoginPassword ClearText="PASSWORD" DES=""> </LoginPassword> <EnablePassword ClearText="" DES=""></EnablePassword> <CHAPPassword ClearText="" DES=""> </CHAPPassword> <OutboundPassword ClearText="" DES=""> </OutboundPassword> </User> </Users> </UserGroup> </UserGroups>
Authorization.xml—Modify this file to define the authorization level for the user. To define authorization levels, you must add the user group added in Authentication.xml file to this file under the <Authorization> tag.
<Authorization> <UserGroups> <UserGroup>TACACS_User1</UserGroup> </UserGroups> <Services> <Service> <Set>service=juniper_ctp_srvc</Set> <Set>protocol=unknown</Set> <Set>juniper_ctpview_https=1</Set> </Service> </Services> </Authorization>
The CTP device uses the juniper_ctp_srvc service to access TACACS+ . This service is used only to access TACACS+ and cannot be changed in the Authorization.xml file.
To define the authorization level, you can assign a user to any or all of the following groups:
CTP Device CLI–SSH
CTPView CLI–SSH
CTPView Web–HTTPS
The level of authorization for each user is specified in the <Set> tag under the <Service> tag.
Use the attributes and values shown in Table 1 for HTTPS access to CTPView.
Table 1: Attributes and Values for HTTPS Access Attribute
Value
Global_Admin
juniper_ctpview_https=1
Net_Admin
juniper_ctpview_https=2
Net_View
juniper_ctpview_https=3
Net_Diag
juniper_ctpview_https=4
Use the attributes and values shown in Table 2 for SSH access to CTPView.
Table 2: Attributes and Values for SSH Access to CTPView Attribute
Value
Web Manager
juniper_ctpview_cli=1
System Admin
juniper_ctpview_cli=2
Auditor
juniper_ctpview_cli=3
Use the attributes and values shown in Table 3 for SSH access to CTP devices.
Table 3: Attributes and Values for SSH Access to CTP Devices Attribute
Value
Read_Only
juniper_ctp_cli=1
Admin
juniper_ctp_cli=2
Privileged_admin
juniper_ctp_cli=3
Auditor
juniper_ctp_cli=4
On the TACAS+ server, you can also modify these files:
Clients.xml—Modify this file to add the secret key and the domains that can use the TACACS+ server.
Tacplus.xml—Modify this file to add the remote port number and the IPV4 or IPv6 addresses assigned to the TACACS+ server.
<Port>49</Port> <LocalIP>Write your TACACS+ machine’s IP here</LocalIP>
Modify the parameters specified in Table 4 if required.
Table 4: Attributes for Configuring Tacplus.xml File Parameter
Function
Port
The default port number is 49.
LocalIP
Specify the IP address of the TACACS+ server. You can enter an IPV4 or IPV6 address.
Before you enter an IPv6 address, ensure that both the TACACS+ server and CTPView server or the CTP device supports IPV6.