Shrubbery Networks offers a free TACACS+ daemon for download as C source code. If you have a little network and you want to offer TACACS-Services without buying the Cisco ACS software, this could be the right thing for you (it does NOT offer RADIUS services, but there are quite many free radius servers available).
For IOS based devices, the configuration is quite trivial. Example:
This is a user "ciscoadm" which will have privilege 15 after login (thus no need to "enable"). In this trivial example I've used a cleartext password as I am the only one to have access to this server in the management lan and it is not productive at the moment.
Configure your IOS as usual with
But then we got new Cisco MDS SAN FibreChannel (FiberChannel) Switches to replace our Inrange ones.
So I thought it was as easy as with IOS because SAN-OS claims to be somewhat the same...
Eh, no.
It begins with the fact that you have to explicitly enable tacacs+ and ends with the issue that the default server group "tacacs+" is not available. You HAVE to declare a TACACS server group.
Example (SAN-OS 3.x):
But then again - no tacacs login. You cannot login and the tacacs+ daemon logs "Authentication failed". And then - how to assign roles? SAN-OS on Cisco MDS Switches have roles for access levels. Predefined are "network-admin" and "network-operator". So how to assign them via TACACS?
The solution is quite fuzzy and simple. You may solve the password (login) issue by using "global" instead of "login" - this would mean that SAN-OS requests another password than "login". The use of "global" means to set all passwords for all services for this user to the given value - regardless of type transmitted.
Roles finally are defined via cisco-av-pairs. Please don't wonder about the asterisk, it's the correct syntax.
Our SAN-Admin user can be defined like that:
And - bingo - it works. "user1" can log in and is "network-admin".
You may test it by typing on your san switch:
For IOS based devices, the configuration is quite trivial. Example:
key = XXXXXXXXX
user = ciscoadm {
default service = permit
service=exec {
priv-lvl=15
}
login = cleartext XXXXXXXX
}
This is a user "ciscoadm" which will have privilege 15 after login (thus no need to "enable"). In this trivial example I've used a cleartext password as I am the only one to have access to this server in the management lan and it is not productive at the moment.
Configure your IOS as usual with
aaa new-model
aaa authentication default group tacacs+ local
tacacs-server 192.168.10.10 key 7 "......."
tacacs-server direct-request
But then we got new Cisco MDS SAN FibreChannel (FiberChannel) Switches to replace our Inrange ones.
So I thought it was as easy as with IOS because SAN-OS claims to be somewhat the same...
Eh, no.
It begins with the fact that you have to explicitly enable tacacs+ and ends with the issue that the default server group "tacacs+" is not available. You HAVE to declare a TACACS server group.
Example (SAN-OS 3.x):
tacacs+ enable
tacacs-server host 192.168.10.10 key 7 "XXXXXXXX"
tacacs-server host 192.168.10.11 key 7 "XXXXXXXX"
aaa group server tacacs+ MYTACACS
server 192.168.10.10
server 192.168.10.11
aaa authentication login default group MYTACACS local
But then again - no tacacs login. You cannot login and the tacacs+ daemon logs "Authentication failed". And then - how to assign roles? SAN-OS on Cisco MDS Switches have roles for access levels. Predefined are "network-admin" and "network-operator". So how to assign them via TACACS?
The solution is quite fuzzy and simple. You may solve the password (login) issue by using "global" instead of "login" - this would mean that SAN-OS requests another password than "login". The use of "global" means to set all passwords for all services for this user to the given value - regardless of type transmitted.
Roles finally are defined via cisco-av-pairs. Please don't wonder about the asterisk, it's the correct syntax.
Our SAN-Admin user can be defined like that:
user = user1 {
default service = permit
service = exec {
cisco-av-pair*shell:roles="network-admin"
}
global = cleartext XXXXXXXX
}
And - bingo - it works. "user1" can log in and is "network-admin".
You may test it by typing on your san switch:
sanswitch# show user-account
Leave a comment