Configure TACACS+ Directory

Overview of TACACS+

Protocol Operation of TACACS+

Authentication of ASCII Format

Authentication of PAP and CHAP Formats

Flow of TACACS+ Configuration

Designation of TACACS+ Server

Configuration of Encrypted Secret Key of TACACS+

Designation of Using TACACS+ for Authentication

Designation of Using TACACS+ for Authorization

Designation of Using TACACS+ for Accounting

Samples of TACACS+ Configuration

Samples of TACACS+ Authentication

Samples of TACACS+ Authorization

Samples of TACACS+ Accounting

 

Overview of TACACS+

TACACS+ is a kind of control protocol for safe access, which provides centralized authentication for users to obtain rights to access router or network access server. Due to the encrypted format of information exchange between network access server and TACACS+ serving programs, it may ensure the safety of communication.

Before using the characteristics of TACACS+ configured on network access server, it is necessary to be able to access and configure TACACS+ server. TACACS+ provides the ability of independent authentication, authorization and accounting of modulization.

Authentication not only supports several authentication methods, such as ASCII, PAP and CHAP, etc., but also provides and deals with the capability of any conversations with users, for example, asking some enquires to users after users entered usernames and passwords, such as home addresses, service types and ID No., etc… In addition, TACACS+ authentication service supports sending information to users’ screen, for instance, inform users that they should change passwords right away since the aging policies of the company. 

Authentication meticulously controls the serving purview of users during the period of offering service, including configuring automatic commands, access controlling, durable time for conversations, etc… It may also compulsively restrict the commands that users may execute.

Accounting gathers and delivers the information used in creating charging bills, auditing or conducting statistics of using status of network resources. Network administrator may use the accounting ability to safely audit the activities of the traced users or provide information for bills of account of users. Function of accounting records users identification, start as well as ending time, executed commands, amounts of bags and bytes, etc…

Protocol Operation of TACACS+

Authentication of ASCII Format

When users login into the network access server using TACACS+ and are required to undertake simple authentications in ASCII format, the following processes may come out in typical situations:

After connection constructed, network access server contacts with TACACS+ server program to obtain username-prompts and then displays to users. When users input usernames, network access server contacts with TACACS+ serving program again to obtain password-prompts and then displays the them to users while users input passwords, then the passwords are sent to TACACS+ server programs.

Notice: TACACS+ allows discretionary conversations between server programs and users until enough information is gathered to conduct authentication to users. This normally achieves through prompting the combination of usernames and passwords, also including other items, such as ID No., etc., all are undertaken under the control of TACACS+ server programs.

Network access server finally receives one of the following responses from TACACS+ server:

ACCEPT

Users have passed authentication and service may start. If network access server is configured to require service authorization, it is time to begin authorization.

REJECT

Users have not passed authentication. Users may be rejected to conduct further access or be prompted to re-login, depending on disposal manners of TACACS+ server.

ERROR:

Error occurs during authentication, which may be due to the server or the network connection between the server and network access server. If there is a response of ERROR, generally, network access server may attempts to authenticate users in another way.

CONTINUE

Prompt users to input additional authentication information.

Authentication of PAP and CHAP Formats

Login of PAP is similar with that of ASCII except for that usernames and passwords reached network access server are in the PAP messages rather than being input by users, thus no news to prompt users to input relevant information. Login of CHAP is similar with it on main contents. After authentication, if network access server requires users to conduct authentication, users need to enter the stage of authorization but before dealing with authorization of TACACS+, it is necessary to first successfully complete authentication of TACACS+.

If authorization of TACACS+ is required, contact with TACACS+ server program again and back to authorization responses of ACCEPT or REJECT. If the response of ACCEPT is back, it may include AV (attribute-value) data, EXEC or NETWORK conversations to regulate the users and services to ensure users’ possibility to access.

Flow of TACACS+ Configuration

In order to configure router as a way to support TACACS+, it is necessary to execute following tasks:

Use TACACS+ server command and appoint one or more IP addresses of TACACS+ server. Use TACACS+ key command to appoint encrypted secret for information exchanges between network access server and TACACS+ server. Same secret key also must be configured in the TACACS+ server programs.

Use the overall configuration command of AAA authentication to define method lists of TACACS+ authentication. For more relevant information on AAA authentication authentication command, please refer to ‘authentication configuration’.

Use Line and Interface commands to apply defined method lists for ports and circuitries. For more relevant information, please refer to ‘authentication configuration’.

如果需要,使用aaa authorization全局配置命令配置授权。有关使用aaa authorization命令的更多信息,请参见“授权配置”。

使用line interface命令,在端口或线路运用所定义的方法列表。与此相关的更多信息,请参见“授权配置”。

如果需要,使用aaa accounting命令定义使用TACACS+对服务过程进行记录。有关使用aaa accounting命令的更多信息,请参见“记录配置”。

使用line interface命令,在端口或线路上运用所定义的方法列表。与此相关的更多信息,请参见“记录配置”

Designation of TACACS+ Server

TACACS+ server command may let you be able to designate the IP address of TACACS+ server. Since TACACS+ software searches for the host according to sequence of configuration, this characteristic is helpful to set up different server priorities. In order to designate TACACS+ host, apply the following commands in the mode of overall configuration:

command

Purpose

tacacs server ip-address [single-connection| multi-connection] [port integer] [timeout integer] [key string]

Designate IP address and corresponding properties of TACACS+ server

It is still possible to configure following options when using TACACS+ commands:

l        Use the keyword single-connection to specify a single connection, which allows the server program to handle more TACACS+ operations in a more effective way. The multi-connection keyword refers to multiple TCP connections.

l        Use port parameter to designate the TCP port No. applied in TACACS+ server program. Default port No. is 49.

l       Use timeout parameter to designate the upper limit of time (in seconds) for router to wait for responses from server.

l       Use key parameter to designate the secret key to encrypt and decode messages.

Note: Use the timeout value appointed by TACACS+ server may cover the overall timeout value configured by TACACS+ timeout command; use the encrypted secret key appointed by TACACS+ server may cover the default secret key configured by the overall configuration command TACACS+ key. Therefore, it is possible to enhance the safety of the network from the exclusive TACACS+ connection configured by applying this command.

Configuration of Encrypted Secret Key of TACACS+

In order to configure the encrypted secret key for TACACS+ messages, it is necessary to use the following commands in the mode of overall configuration:

command

Purpose

tacacs key keystring

Configure the encrypted secret key matched with that used by TACACS+ server.

Note: in order to successfully encrypt, it is necessary to configure the same secret key to TACACS+ server.

Designation of Using TACACS+ for Authentication

After identifying TACACS+ server and defining the encrypted secret key related to it, it is necessary to define method lists for TACACS+ authentication. Since TACACS+ authentication is undertaken through AAA, it is necessary to set up AAA authentication command to appoint TACACS+ as its authentication method. For more relevant information, please refer to ‘authentication configuration’.

Designation of Using TACACS+ for Authorization

AAA authorization may set up parameters to limit the network access purview for users. TACACS+ authorization may be used in much service, such as commands, network connections and EXEC conversations, etc…Since TACACS+ authorization is undertaken through AAA, it is necessary to set up AAA authorization command to appoint TACACS+ as its authorization method. For more relevant information, please refer to ‘authorization configuration’.

Designation of Using TACACS+ for Accounting

AAA accounting may trace the service that users are using and the amount of network resources the service consumes. Since TACACS+ accounting is provided through AAA, it is necessary to set up AAA authentication command to appoint TACACS+ as its accounting method. For more relevant information, please refer to ‘accounting configuration’.

 

Samples of TACACS+ Configuration

This section consists of following:

Samples of TACACS+ Authentication

Samples of TACACS+ Authorization

Samples of TACACS+ Accounting

Samples of TACACS+ Authentication

The following samples of PPP configuration are completed by TACACS+:

aaa authentication ppp test tacacs+ local

tacacs server 1.2.3.4

tacacs key testkey

interface serial 1/1

ppp authentication chap pap test

In this sample:

AAA authentication command defines the test of method lists of authentication used in the serial ports for circulating PPP. Keyword of TACACS+ means that authentication is conducted through TACACS+ and if some kind of ERROR is back during the TACACS+ authentication, keyword of local instructs to use local database in the network access server to authenticate.

TACACS+ server command identifies the IP address of TACACS+ server as 1.2.3.4. TACACS+ key command defines the shared encrypted secret as testkey.

Interface command selects the port while PPP authentication command applies the method list test in the port.

The following sample configures TACACS+ as safe protocol for PPP authentication without using method list test any more but method list default:

aaa authentication ppp default if-needed tacacs+ local

tacacs-server host 1.2.3.4

tacacs-server key goaway

interface serial 1/1

 ppp authentication default

In this sample:

AAA authentication command defines to use method list default of authentication in serial ports for circulating PPP. Keyword if-needed means that if users have passed the authentication in the process of login, PPP authentication is needless, but if authentication is needed, then keyword TACACS+ means that authentication is undertaken through TACACS+. If some kind of ERROR is back during the period of TACACS+ authentication, then keyword local instructs to use local database in the network access server for authentication.

TACACS+ server command identifies the IP address of TACACS+ server as 1.2.3.4. TACACS+ key command defines the shared encrypted secret as testkey.

Interface command selects the port while PPP authentication command applies method list test in the port.

 

Samples of TACACS+ Authorization

下述示例把TACACS+作为认证缺省方法列表中的方法之一,并配置通过TACACS+进行网络(PPPSLIP等)服务授权:

aaa authentication ppp default if-needed tacacs+ local

aaa authorization network default tacacs+

tacacs server 10.1.2.3

tacacs key goaway

interface serial 1/1

ppp authentication default

ppp authorization default

In this sample:

AAA authentication command defines to use method list default of authentication in serial ports for circulating PPP. Keyword if-needed means that if users have passed the authentication in the process of login, PPP authentication is needless, but if authentication is needed, then keyword TACACS+ means that authentication is undertaken through TACACS+. If some kind of ERROR is back during the period of TACACS+ authentication, then keyword local instructs to use local database in the network access server for authentication.

AAA authorization command configures to conduct network authorization through TACACS+.

TACACS+ server command identifies the IP address of TACACS+ server as 10.2.3.4. TACACS+ key command defines the shared encrypted secret as goaway.

Interface command selects ports while both PPP authentication and PPP authorization commands apply default authentication or method lists of authorization to the port.

 

Samples of TACACS+ Accounting

下述示例配置PPP认证的方法列表使用TACACS+作为方法之一,并配置通过TACACS+进行记录:

aaa authentication ppp default if-needed tacacs+ local

aaa accounting network default stop-only tacacs+

tacacs server 10.1.2.3

tacacs key goaway

interface serial 1/1

ppp authentication default

ppp accounting default

In this sample:

AAA authentication command defines method list default of authentication for using of PPP protocol. Keyword if-needed means that if users have passed the authentication in the process of login, PPP authentication is needless any more, but if authentication is needed, then keyword TACACS+ means that authentication is undertaken through TACACS+. If some kind of ERROR is back during the period of TACACS+ authentication, then keyword local instructs to use local database in the network access server for authentication.

AAA accounting command configures to conduct accounting of network service by TACACS+. In this sample, only record corresponding information when the service is finished, which will be sent to TACACS+ server when network connection finishes.

TACACS+ server command identifies the IP address of TACACS+ server as 10.2.3. TACACS+ key command defines the shared encrypted secret as goaway.

Interface command selects ports while PPP authentication command applies default method list of authentication in the port and PPP accounting command applies default method list of accounting in the port.