Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring the TACACS+ Server

When installed on a server that uses the CentOS operating system, CTPview allows the TACACS+ authenticated user to log in through SSH and HTTPS.

Users are authenticated in the following order:

  • By the TACACS+ server

  • By the local user account

You can add the same user to the TACACS+ server and the local CTPView system.

Configuring the TACACS+ Server’s Configuration Files

You can use any TACACS+ server that complies with the TACACs+ RFC "The TACACs+ Protocol" (January 1997). You can download the TACACs+ server that we refer to here (v1.2) from the TACACs.net website at http://tacacs.net/download.asp. This version contains four configuration files. To modify the configuration files, you must log in to the TACACs+ server as an administrator.

  • Authentication.xml—Modify this file to add a new user on the TACACS+ server. To add a new user, you must a add new user group and the user under the <UserGroups> tag.

  • Authorization.xml—Modify this file to define the authorization level for the user. To define authorization levels, you must add the user group added in Authentication.xml file to this file under the <Authorization> tag.

    The CTP device uses the juniper_ctp_srvc service to access TACACS+ . This service is used only to access TACACS+ and cannot be changed in the Authorization.xml file.

    To define the authorization level, you can assign a user to any or all of the following groups:

    • CTP Device CLI–SSH

    • CTPView CLI–SSH

    • CTPView Web–HTTPS

    The level of authorization for each user is specified in the <Set> tag under the <Service> tag.

    Use the attributes and values shown in Table 1 for HTTPS access to CTPView.

    Table 1: Attributes and Values for HTTPS Access

    Attribute

    Value

    Global_Admin

    juniper_ctpview_https=1

    Net_Admin

    juniper_ctpview_https=2

    Net_View

    juniper_ctpview_https=3

    Net_Diag

    juniper_ctpview_https=4

    Use the attributes and values shown in Table 2 for SSH access to CTPView.

    Table 2: Attributes and Values for SSH Access to CTPView

    Attribute

    Value

    Web Manager

    juniper_ctpview_cli=1

    System Admin

    juniper_ctpview_cli=2

    Auditor

    juniper_ctpview_cli=3

    Use the attributes and values shown in Table 3 for SSH access to CTP devices.

    Table 3: Attributes and Values for SSH Access to CTP Devices

    Attribute

    Value

    Read_Only

    juniper_ctp_cli=1

    Admin

    juniper_ctp_cli=2

    Privileged_admin

    juniper_ctp_cli=3

    Auditor

    juniper_ctp_cli=4

    On the TACAS+ server, you can also modify these files:

  • Clients.xml—Modify this file to add the secret key and the domains that can use the TACACS+ server.

  • Tacplus.xml—Modify this file to add the remote port number and the IPV4 or IPv6 addresses assigned to the TACACS+ server.

    Modify the parameters specified in Table 4 if required.

    Table 4: Attributes for Configuring Tacplus.xml File

    Parameter

    Function

    Port

    The default port number is 49.

    LocalIP

    Specify the IP address of the TACACS+ server. You can enter an IPV4 or IPV6 address.

    Before you enter an IPv6 address, ensure that both the TACACS+ server and CTPView server or the CTP device supports IPV6.