Configure TACACS+ Directory
Authentication
of ASCII Format
Authentication
of PAP and CHAP Formats
Configuration
of Encrypted Secret Key of TACACS+
Designation
of Using TACACS+ for Authentication
Designation
of Using TACACS+ for Authorization
Designation
of Using TACACS+ for Accounting
Samples
of TACACS+ Configuration
Samples
of TACACS+ Authentication
Samples
of TACACS+ Authorization
TACACS+ is a kind of control protocol for safe access, which
provides centralized authentication for users to obtain rights to access router
or network access server. Due to the encrypted format of information exchange
between network access server and TACACS+ serving programs, it may ensure the
safety of communication.
Before
using the characteristics of TACACS+ configured on network access server, it is
necessary to be able to access and configure TACACS+ server. TACACS+ provides
the ability of independent authentication, authorization and accounting of
modulization.
Authentication
not only supports several authentication methods, such as ASCII, PAP and CHAP,
etc., but also provides and deals with the capability of any conversations with
users, for example, asking some enquires to users after users entered usernames
and passwords, such as home addresses, service types and ID No., etc… In
addition, TACACS+ authentication service supports sending information to
users’ screen, for instance, inform users that they should change passwords
right away since the aging policies of the company.
Authentication
meticulously controls the serving purview of users during the period of offering
service, including configuring automatic commands, access controlling, durable
time for conversations, etc… It may also compulsively restrict the commands
that users may execute.
Accounting
gathers and delivers the information used in creating charging bills, auditing
or conducting statistics of using status of network resources. Network
administrator may use the accounting ability to safely audit the activities of
the traced users or provide information for bills of account of users. Function
of accounting records users identification, start as well as ending time,
executed commands, amounts of bags and bytes, etc…
Authentication
of ASCII Format
When users login into the network access server using
TACACS+ and are required to undertake simple authentications in ASCII format,
the following processes may come out in typical situations:
After
connection constructed, network access server contacts with TACACS+ server
program to obtain username-prompts and then displays to users. When users input
usernames, network access server contacts with TACACS+ serving program again to
obtain password-prompts and then displays the them to users while users input
passwords, then the passwords are sent to TACACS+ server programs.
Notice: TACACS+ allows
discretionary conversations between server programs and users until enough
information is gathered to conduct authentication to users. This normally
achieves through prompting the combination of usernames and passwords, also
including other items, such as ID No., etc., all are undertaken under the
control of TACACS+ server programs.
Network access server finally receives one of the following responses from TACACS+ server:
ACCEPT: |
Users have passed authentication and service may start.
If network access server is configured to require service authorization, it is
time to begin authorization. |
REJECT: |
Users have not passed authentication. Users may be
rejected to conduct further access or be prompted to re-login, depending on
disposal manners of TACACS+ server. |
ERROR: |
Error occurs during authentication, which may be due to
the server or the network connection between the server and network access
server. If there is a response of ERROR, generally, network access server may
attempts to authenticate users in another way. |
CONTINUE: |
Prompt users to input additional authentication
information. |
Authentication
of PAP and CHAP Formats
Login of PAP is similar with that of ASCII except for that
usernames and passwords reached network access server are in the PAP messages
rather than being input by users, thus no news to prompt users to input relevant
information. Login of CHAP is similar with it on main contents. After
authentication, if network access server requires users to conduct
authentication, users need to enter the stage of authorization but before
dealing with authorization of TACACS+, it is necessary to first successfully
complete authentication of TACACS+.
If authorization of TACACS+ is required, contact with TACACS+ server program again and back to authorization responses of ACCEPT or REJECT. If the response of ACCEPT is back, it may include AV (attribute-value) data, EXEC or NETWORK conversations to regulate the users and services to ensure users’ possibility to access.
In order to configure router as a way to support
TACACS+, it is necessary to execute following tasks:
Use TACACS+ server command and appoint one or more IP addresses of
TACACS+ server. Use TACACS+ key command to appoint encrypted secret for
information exchanges between network access server and TACACS+ server. Same
secret key also must be configured in the TACACS+ server programs.
Use the overall configuration command of AAA authentication to define
method lists of TACACS+ authentication. For more relevant information on AAA
authentication authentication command, please refer to ‘authentication
configuration’.
Use Line and Interface commands to apply defined method lists for ports
and circuitries. For more relevant information, please refer to
‘authentication configuration’.
TACACS+ server command may let you be able to designate
the IP address of TACACS+ server. Since TACACS+ software searches for the host
according to sequence of configuration, this characteristic is helpful to set up
different server priorities. In order to designate TACACS+ host, apply the
following commands in the mode of overall configuration:
command |
Purpose |
tacacs server ip-address [single-connection|
multi-connection] [port integer] [timeout integer]
[key string] |
Designate IP address and corresponding properties of
TACACS+ server |
It is still possible to configure following options
when using TACACS+ commands:
l
Use the keyword single-connection to specify a single connection, which
allows the server program to handle more TACACS+ operations in a more effective
way. The multi-connection keyword refers to multiple TCP connections.
l
Use port parameter to designate the TCP port No. applied in TACACS+
server program. Default port No. is 49.
l Use timeout parameter to designate the upper limit of
time (in seconds) for router to wait for responses from server.
l Use key parameter to designate the secret key to
encrypt and decode messages.
Note: Use the timeout value appointed by TACACS+ server may cover the overall timeout value configured by TACACS+ timeout command; use the encrypted secret key appointed by TACACS+ server may cover the default secret key configured by the overall configuration command TACACS+ key. Therefore, it is possible to enhance the safety of the network from the exclusive TACACS+ connection configured by applying this command.
Configuration
of Encrypted Secret Key of TACACS+
In order to configure the encrypted secret key for
TACACS+ messages, it is necessary to use the following commands in the mode of
overall configuration:
command |
Purpose |
tacacs key keystring |
Configure the encrypted secret key matched with that
used by TACACS+ server. |
Note: in order to successfully encrypt, it is necessary to configure the same secret key to TACACS+ server.
Designation
of Using TACACS+ for Authentication
After identifying TACACS+ server and defining the encrypted secret key related to it, it is necessary to define method lists for TACACS+ authentication. Since TACACS+ authentication is undertaken through AAA, it is necessary to set up AAA authentication command to appoint TACACS+ as its authentication method. For more relevant information, please refer to ‘authentication configuration’.
Designation
of Using TACACS+ for Authorization
AAA authorization may set up parameters to limit the network access purview for users. TACACS+ authorization may be used in much service, such as commands, network connections and EXEC conversations, etc…Since TACACS+ authorization is undertaken through AAA, it is necessary to set up AAA authorization command to appoint TACACS+ as its authorization method. For more relevant information, please refer to ‘authorization configuration’.
Designation
of Using TACACS+ for Accounting
AAA accounting may trace the service that users are using and the amount of network resources the service consumes. Since TACACS+ accounting is provided through AAA, it is necessary to set up AAA authentication command to appoint TACACS+ as its accounting method. For more relevant information, please refer to ‘accounting configuration’.
Samples
of TACACS+ Configuration
This section consists of following:
Samples
of TACACS+ Authentication
Samples
of TACACS+ Authorization
Samples
of TACACS+ Authentication
The following samples of PPP configuration are completed by TACACS+:
aaa authentication ppp test
tacacs+ local
tacacs server 1.2.3.4
tacacs key testkey
interface serial 1/1
ppp authentication chap pap
test
In this sample:
AAA authentication command defines the test of method lists of authentication used in the serial ports for circulating PPP. Keyword of TACACS+ means that authentication is conducted through TACACS+ and if some kind of ERROR is back during the TACACS+ authentication, keyword of local instructs to use local database in the network access server to authenticate.
TACACS+
server command identifies the IP address of TACACS+ server as 1.2.3.4. TACACS+
key command defines the shared encrypted secret as testkey.
The following sample configures TACACS+ as safe
protocol for PPP authentication without using method list test any more but
method list default:
aaa authentication ppp
default if-needed tacacs+ local
tacacs-server host 1.2.3.4
tacacs-server key goaway
interface serial 1/1
ppp authentication default
In this sample:
AAA authentication command defines to use method list
default of authentication in serial ports for circulating PPP. Keyword if-needed
means that if users have passed the authentication in the process of login, PPP
authentication is needless, but if authentication is needed, then keyword
TACACS+ means that authentication is undertaken through TACACS+. If some kind of
ERROR is back during the period of TACACS+ authentication, then keyword local
instructs to use local database in the network access server for authentication.
TACACS+ server command identifies the IP address of
TACACS+ server as 1.2.3.4. TACACS+ key command defines the shared encrypted
secret as testkey.
Interface command selects the port while PPP authentication command applies method list test in the port.
Samples
of TACACS+ Authorization
aaa authentication ppp
default if-needed tacacs+ local
aaa authorization network
default tacacs+
tacacs server 10.1.2.3
tacacs key goaway
interface serial 1/1
ppp authentication default
ppp authorization default
In this sample:
AAA
authentication command defines to use method list default of authentication in
serial ports for circulating PPP. Keyword if-needed means that if users have
passed the authentication in the process of login, PPP authentication is
needless, but if authentication is needed, then keyword TACACS+ means that
authentication is undertaken through TACACS+. If some kind of ERROR is back
during the period of TACACS+ authentication, then keyword local instructs to use
local database in the network access server for authentication.
AAA
authorization command configures to conduct network authorization through
TACACS+.
TACACS+ server command identifies the IP address of
TACACS+ server as 10.2.3.4. TACACS+ key command defines the shared encrypted
secret as goaway.
Interface command selects ports while both PPP
authentication and PPP authorization commands apply default authentication or
method lists of authorization to the port.
aaa authentication ppp
default if-needed tacacs+ local
aaa accounting network
default stop-only tacacs+
tacacs server 10.1.2.3
tacacs key goaway
interface serial 1/1
ppp authentication default
ppp accounting default
In this sample:
AAA authentication command defines method list default of authentication
for using of PPP protocol. Keyword if-needed means that if users have passed the
authentication in the process of login, PPP authentication is needless any more,
but if authentication is needed, then keyword TACACS+ means that authentication
is undertaken through TACACS+. If some kind of ERROR is back during the period
of TACACS+ authentication, then keyword local instructs to use local database in
the network access server for authentication.
AAA
accounting command configures to conduct accounting of network service by
TACACS+. In this sample, only record corresponding information when the service
is finished, which will be sent to TACACS+ server when network connection
finishes.
TACACS+ server command identifies the IP address of TACACS+
server as 10.2.3. TACACS+ key command defines the shared encrypted secret as
goaway.
Interface command selects ports while PPP authentication
command applies default method list of authentication in the port and PPP
accounting command applies default method list of accounting in the port.