Configuring TACACS+ Authentication and Authorization


TACACS+ (Terminal Access Controller Access Control System) is a security protocol that is an enhancement to the original TACACS protocol. It uses the client / server model to communicate with the NAS and the TACACS + server to achieve user’s AAA management.

AmpCon supports to use TACACS+ server to do authentication and authorization for the AmpCon login users, achieving to prevent illegal users from logging on to the device and enhance the security of the devices.

At most two TACACS+ servers can be configured on AmpCon server, one is primary and active server, the other is the secondary server which is a backup server. If both TACACS+ servers are unreachable, AmpCon will fallback to use the local user info in database for login.

The user authorization level can be specified by using the parameter priv-lvl on TACACS+ server, which is sent in the TACACS+ Authorization response. The priv-lvl is mapped in AmpCon to one of four levels according to the local user level mapping configuration. The four levels include Readonly, Operator, Admin and Superadmin. You can find the sample configuration of authorization level on TACACS+ server in the second part of this page.

NOTE:

  • Users of “Superadmin” and “Admin” level can manage or delete the local users.
  • AmpCon will send the Authorization Request with “Arg [0]” service = AmpConOn TACACS+ server, the value of parameter “service=AmpCon” should be used to set the processing of the authorization request as needed specifically for AmpCon users.

Configuring TACACS+ Authentication and Authorization on AmpCon Server

The following procedure describes how to configure TACACS+ authentication and authorization on AmpCon server.

Step 1       Select Users > Manage Users.

Step 2       On the “Manage Users” page, click “TACACS+ Settings” button.

  a)  Fill the TACACS configurations in the “TACACS+ Settings” window.

The parameter descriptions are shown in the following table for configuring the TACACS+.

Parameter

Description

Enable

Enable or disable TACACS+ authentication and authorization.

Primary Server IP

Specifies the primary TACACS+ server IP address.

Secondary Server IP

Optional. Specifies a backup TACACS+ server IP address.

Server Key

Specifies a TACACS+ shared key.

Note:

The value of TACACS+ shared key should be the same as that on the TACACS+ servers. The shared key should have the same value on both TACACS+ servers.

Session Timeout

Specifies the TACACS+ connection timeout in seconds.

Authentication Protocol

Optional. Specifies the TACACS+ authentication protocol type. The value could be ASCII, PAP or CHAP. The default value is ASCII.

TACACS+ user level mapping

Optional. Specifies the mapping ranges for TACACS+ authorization. The configuration page displays the default mapping values.

You may configure a custom range for mapping values. The values are integers that range from 0 to15.

NOTE:

  • Any range should not overlap with another range between different user levels.
  • If the priv-lvl of a user configured on the TACACS+ server is not found in a level mapping configuration on AmpCon, the user level will be mapped to “readonly”.

   b) Click "Save" button to save the TACACS+ settings.

                   Using step 2, you can also modify the settings of the configured TACACS+ authentication and authorization.

Step 3        If you want to disable TACACS+ authentication and authorization function, you can set the “Enable” parameter to "OFF". This will revert AmpCon login to use only the configured local users in the database.

Sample Configuration of Authorization Level on TACACS+ Server (Linux tac_plus)

Here is a sample configuration of authorization level of on the TACACS+ server.

user = leontest {
        global = cleartext "abc"
        service = AmpCon {
                default attribute = permit
                priv-lvl = 15
        }
}
 
user = automation1 {
        global = cleartext "automation"
        service = AmpCon {
                default attribute = permit
                priv-lvl = 10
        }
}

user = testtest {
        global = cleartext "testtest"
        service = AmpCon {
                default attribute = permit
                priv-lvl = 5
        }
} 

user = testpica8 {
        global = cleartext "testpica8"
        service = AmpCon {
                default attribute = permit
                priv-lvl = 1
        }
}

Copyright © 2024 Pica8 Inc. All Rights Reserved.