Versions Compared

Version Old Version 2 New Version Current
Changes made by

Jennifer Xiao

Jennifer Xiao

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

AmpCon™AmpCon-DC supports integrating with the Access Controller Access Control System (TACACS+) server to do authentication and authorization for the AmpCon-DC login users.

In addition to configuring using local users (global users or group users), you can also configure enable the TACACS+ To prevent illegal users from logging in to AmpCon-DC and thus enhance the security of devices.

...

integration to manage user access.

Table of Contents
stylenone

Before You Begin

Before you enable the TACACS+ integration, read the following notes:

  • You can configure at most two TACACS+ servers on the AmpCon-DC server. One is the primary and active server, while the other one is the secondary server, which is used for backup. Configure the secondary server only when backup is needed.

  • You can designate authorization levels by using the parameter priv-lvl parameter on the TACACS+ server, which will be . The priv-lvl configuration is sent in the TACACS+ authorization response. The priv-lvl parameter value is mapped to one of four user these local role levels: Readonly, Operator, Admin, and Superadmin. You can find the sample configuration of authorization level on

For how to configure authorization levels on the TACACS+ server

...

, see the Sample Configuration of Authorization Level on TACACS+ Server (Linux tac_plus) section.

  • AmpCon-DC sends authorization requests with “Arg[0]” service=AmpCon-DC. On the TACACS+ server, you need to set the value of the parameter “service=AmpCon-DC” to process the authorization request requests of AmpCon-DC users.

  • If both the primary and the secondary TACACS+ servers are unreachable, you can use local users (global user or group user) to log in to the AmpCon-DC UI.

Procedure

To enable the TACACS+ integration, follow these steps:

  1. In the AmpCon-DC UI, click System > User management.

  2. Click TACACS+ Settings.

  3. Click Enable to activate theTACACSthe TACACS+ service. In the The TACACS+ Settings pop-up window , enter is displayed.

...

  1. Enter the following information:

Parameter

Description

Enable

...

Enable or disable TACACS+ authentication and authorization.

Primary Server IP

...

The IP address of the primary TACACS+ server.

Secondary Server IP

...

Optional. The IP address of the backup TACACS+ server.

Server Key

...

The shared key of TACACS+.

Note: The value of the Server Key field needs to be the same as the shared

...

keys of the primary and secondary TACACS+ servers. The shared

...

keys on both TACACS+ servers

...

need to be the same.

Session Timeout

...

The TACACS+ connection timeout in seconds.

Auth Protocol

...

The authentication protocol type of TACACS+ including ASCII, PAP, or CHAP.

TACACS+ User Level Mapping

...

The mapping ranges for TACACS+ authorization. The configuration page displays the default mapping values. You can configure a custom range for mapping values. The values are integers that range from 0 to15.

Notes:

  • Don’t overlap any range with other ranges among different user levels.

  • If the priv-lvl configuration of a user on the TACACS+ server is not found in the level-mapping configuration on AmpCon-DC, the user role level is mapped to Readonly.

...

  1. Click OK.

Sample Configuration of Authorization Level on TACACS+ Server (Linux tac_plus)

For how to configure authorization levels on the TACACS+ server, see the following example:

user = leontest {
global = cleartext "abc"
service = AmpCon {
default attribute = permit
priv-lvl = 15
}
}

user = automation1 {
global = cleartext "automation"
service = AmpCon {
default attribute = permit
priv-lvl = 10
}
}

user = testtest {
global = cleartext "testtest"
service = AmpCon {
default attribute = permit
priv-lvl = 5
}
}

user = testpica8 {
global = cleartext "testpica8"
service = AmpCon {
default attribute = permit
priv-lvl = 1
}
}