|
SYSTEM ADMINISTRATOR GUIDE 71/1543-CRA 119 1170/1-V1 Uen B | |
Copyright
© Ericsson AB 2009–2010. All rights reserved. No part of this document may be reproduced in any form without the written permission of the copyright owner.
Disclaimer
The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.
Trademark List
| SmartEdge | is a registered trademark of Telefonaktiebolaget LM Ericsson. | |
| NetOp | is a trademark of Telefonaktiebolaget LM Ericsson. |
This document provides an overview of the Terminal Access Controller Access Control System Plus (TACACS+) features supported on the SmartEdge router®, describes TACACS+ Attribute-Value Pairs, and describes the tasks used to configure, monitor, and administer TACACS+. This document also provides a configuration example of TACACS+.
The TACACS+ protocol enables building a system that secures remote access to networks and network services. TACACS+ is based on a client/server architecture. When configured with the IP address or hostname of a TACACS+ server, the SmartEdge router can act as a TACACS+ client. TACACS+ servers are configured on a per-context basis, with a limit of six servers in each context.
The SmartEdge router supports the TACACS+ features of One-Time Passwords in Everything (OPIE), S/Key, and SecurID, if they are supported by and enabled on the TACACS+ server. These functions are limited to Telnet sessions only.
The SmartEdge router uses Simple Network Management Protocol (SNMP) notifications when the SmartEdge router has difficulty communicating with a TACACS+ server and declares it down and also when communication to the server is restored.
Configurable options for a TACACS+ server include:
To enable authentication and accounting features, you must also configure authentication, authorization, and accounting (AAA). For information about AAA tasks and commands, see Configuring Authentication, Authorization, and Accounting.
To enable administrator authentication through TACACS+, enter the aaa authentication administrator command (in context configuration mode). To configure CLI authorization, enter the aaa authorization commands command (in context configuration mode). To enable accounting messages to be sent to a TACACS+ server, enter the aaa accounting administrators and aaa accounting commands commands (in context configuration mode).
The sections that follow provide information for configuring and operating TACACS.
The SmartEdge router supports up to six TACACS+ servers in each context. Servers are assigned priority based on the order in which they are configured in the operating system. The first configured server is used first. If the first server becomes unavailable or unreachable, the second server is used, and so on.
By default, the local IP address for the interface on which TACACS+ is transmitted is included in packets sent by the SmartEdge router. To not publish the IP address to the TACACS+ server, you must configure a loopback interface to appear to be the source address for TACACS+ packets. The interface must be reachable by the TACACS+ server; for details about this command, see Configuring Contexts and Interfaces.
To configure a TACACS+ server, perform the tasks described in Table 1; enter all commands in context configuration mode, unless otherwise noted.
|
Task |
Root Command |
Notes |
|---|---|---|
|
Configure the IP address or hostname of a TACACS+ server. |
||
|
Optional. Configure server parameters, using one or more of the following tasks: |
||
|
Modify the interval during which the SmartEdge router is to treat a nonresponsive TACACS+ server as dead, and try instead to reach another configured server. |
||
|
Modify the TACACS+ server identifier used for lawful intercept (LI) administrators or LI users. |
||
|
Modify the number of retransmission attempts to open a TCP connection to the TACACS+ server in the event that no response is received from the server within the time-out period. |
||
|
Strip the domain portion of a structured username before relaying an authentication, authorization, or accounting request. |
||
|
Modify the time-out value. |
||
|
Configure an IP source address. |
Enter this command in interface configuration mode and specify the tacacs+ keyword. |
For information about configuring interfaces and the ip source-address command (in interface configuration mode), see Configuring Contexts and Interfaces.
To monitor and troubleshoot TACACS+ servers, perform the appropriate TACACS+ operations tasks described in Table 2. Enter the debug command in exec mode; enter the show command in any mode.
|
Task |
Root Command |
|---|---|
|
Enable the generation of TACACS+ debug messages. |
|
|
Display configuration information for one or all TACACS+ servers in the current context. |
The following example configures a TACACS+ server IP address, 10.43.32.56, with the key, Secret. The SmartEdge router will attempt to open a TCP connection to the TACACS+ server up to 5 times when no response is received within 30 seconds:
[local]Redback(config-ctx)#tacacs+ server 10.43.32.56 key Secret [local]Redback(config-ctx)#tacacs+ max-retries 5 [local]Redback(config-ctx)#tacacs+ timeout 30 [local]Redback(config-ctx)#tacacs+ strip-domain
Terminal Access Controller Access Control System Plus (TACACS+) attribute-value pairs (AVPs) are used to define specific administrator and command-line interface (CLI) command authentication, authorization, and accounting (AAA) elements for user profiles that are stored on a TACACS+ server.
Table 3 describes TACACS+ authentication and authorization AVPs supported by the SmartEdge router.
|
Attribute |
Description |
|---|---|
|
cmd=x |
Administrator shell command. Indicates the command name for the command to be issued. This attribute can only be specified if service=shell. |
|
cmd-arg=x |
Argument used with an administrator shell command. Indicates the argument name to be used with the command. Multiple cmd-arg attributes can be specified and cmd-arg attributes are order dependent. |
|
priv-lvl=x |
When received in an administrator authorization response from the server, sets the starting privilege level for the administrator. |
|
service=x |
Service used by the administrator. |
Table 4 describes the TACACS+ administrator accounting AVPs supported by the SmartEdge router.
|
Attribute |
Description |
|---|---|
|
service=shell |
Service used by the administrator. |
|
start_time=x |
Time at which the administrator logged onto the SmartEdge router. The format is in number of seconds since 12:00 a.m. January 1, 1970. |
|
stop_time=x |
Time at which the administrator logged off the SmartEdge router. The format is in number of seconds since 12:00 a.m., January 1, 1970. |
|
task_id=x |
Start and stop records for the same event must have matching (unique) task ID numbers. |
|
timezone=x |
Time zone abbreviation for all time stamps included in this packet. |
Table 5 describes the TACACS+ command accounting AVPs supported by the SmartEdge router.
|
Attribute |
Description |
|---|---|
|
cmd=x |
Command issued by the administrator. Includes all supported CLI commands. |
|
priv-lvl=x |
Privilege level associated with the command being issued. |
|
start_time=x |
Time at which the command is issued. |
|
service=shell |
Service used by the administrator. |
|
task_id=x |
Start and stop records for the same event must have matching (unique) task ID numbers. |
|
timezone=x |
Time zone abbreviation for all timestamps included in this packet. |