TACACS+ Configuration


TACACS + uses TCP reliable transmission and data encryption transmission, it is a more secure AAA feature.

PicOS supports a maximum of eight TACACS+ servers. When multiple TACACS+ servers are configured, only one will be used, the IP addresses are used in alphabetical order.

For example, the following TACACS+ servers are configured.

set system aaa tacacs-plus server-ip 146.13.191.77
set system aaa tacacs-plus server-ip 146.13.191.78
set system aaa tacacs-plus server-ip 1.1.1.1
set system aaa tacacs-plus server-ip 2.2.2.2
set system aaa tacacs-plus server-ip 3.3.3.3

The servers will be used in below order.

  1.   1.1.1.1
  2.   146.13.191.77
  3.   146.13.191.78
  4.   2.2.2.2
  5.   3.3.3.3

Configuring TACACS+ 

Procedure 

Step1         Enable TACACS+ function.

    set system aaa tacacs-plus disable <true | false>

Step2         Configure TACACS+ shared key.

    set system aaa tacacs-plus key <string>

    The value of TACACS+ shared key should be the same with that on the TACACS+ servers. The shared key should have a same value on different TACACS+ servers.

Step3         Configure IP address of TACACS+ server.

    set system aaa tacacs-plus server-ip <ipv4_address>

Step4         (Optional) Configure the port number of TACACS+ server.

    set system aaa tacacs-plus port-number <integer>

    By default, the port number of TACACS+ server is 49. The value of port number should be the same with that on the TACACS+ servers.   

Step5         Configure the source interface.

   set system aaa tacacs-plus source-interface <interface-name

Step6         (Optional) Configure TACACS+ connection timeout.

    set system aaa tacacs-plus timeout <integer>

    By default, the value of TACACS+ connection timeout is 5 seconds.

Step7         (Optional) Configure TACACS+ authentication type.

    set system aaa tacacs-plus auth-type <ascii | chap | pap>

    By default, the TACACS+ authentication type is ascii.

Step8         (Optional) Enable TACACS+ authorization. By default, TACACS+ authorization is enabled.

    set system aaa tacacs-plus authorization <true | false>

Step9         (Optional) Enable TACACS+ accounting. By default, TACACS+ accounting is enabled.

    set system aaa tacacs-plus accounting <true | false>

Step10       Commit the configurations.

    commit 

TACACS+ Configuration Example 

Networking Requirements

As shown in Figure 1, PC1, PC2, and PC3 connect to the internet through the PICA8 Switch. Configure TACACS+ function on PICA8 Switch to accomplish authentication, authorization, and accounting of PC1, PC2, and PC3 through TACACS + server1 and TACACS + server2. Suppose PICA8 Switch connects to the TACACS + servers through management interface eth0.

Figure 1. TACACS+ Networking Topology

Procedure

Step1         Enable TACACS+ function.          

admin@XorPlus# set system aaa tacacs-plus disable false

Step2         Configure shared key of the TACACS+ servers.

admin@XorPlus# set system aaa tacacs-plus key pica8pica8

Step3         Configure TACACS+ server IP.

 admin@XorPlus# set system aaa tacacs-plus server-ip 10.10.51.2
admin@XorPlus# set system aaa tacacs-plus server-ip 10.10.51.3

Step4         (Optional) Configure the port number of TACACS+ server.

admin@XorPlus# set system aaa tacacs-plus port-number 50             

Step5         Configure the source interface.

admin@XorPlus# set system aaa tacacs-plus source-interface eth0           

Step6         (Optional) Configure TACACS+ connection timeout.

admin@XorPlus# set system aaa tacacs-plus timeout 30

Step7         (Optional) Configure TACACS+ authentication type.

 admin@XorPlus# set system aaa tacacs-plus auth-type chap       

Step8         Commit the configurations.

admin@XorPlus# commit

Check the Configuration

  •   You can use the show system aaa tacacs-plus command to view the configuration information of TACACS+.
admin@XorPlus# show system aaa tacacs-plus
disable: false 
server-ip 10.10.51.2
server-ip 10.10.51.3
key: "QT09cGljYThwaWNhOA==Y0ds"
source-interface: "eth0"

Copyright © 2024 Pica8 Inc. All Rights Reserved.