Configuring TACACS+ Authentication and Authorization

AmpCon-DC supports integrating with the Access Controller Access Control System (TACACS+) server to do authentication and authorization for the AmpCon-DC login users.

In addition to using local users (global users or group users), you can also enable the TACACS+ integration to manage user access.

1 Before You Begin
2 Procedure
3 Sample Configuration of Authorization Level on TACACS+ Server (Linux tac_plus)

Before You Begin

Before you enable the TACACS+ integration, read the following notes:

You can configure at most two TACACS+ servers on the AmpCon-DC server. One is the primary and active server, while the other one is the secondary server, which is used for backup. Configure the secondary server only when backup is needed.
You can designate authorization levels by using the priv-lvl parameter on the TACACS+ server. The priv-lvl configuration is sent in the TACACS+ authorization response. The priv-lvl parameter value is mapped to one of these local role levels: Readonly, Operator, Admin, and Superadmin.

For how to configure authorization levels on the TACACS+ server, see the Sample Configuration of Authorization Level on TACACS+ Server (Linux tac_plus) section.

AmpCon-DC sends authorization requests with “Arg[0]” service=AmpCon-DC. On the TACACS+ server, you need to set the value of the parameter “service=AmpCon-DC” to process authorization requests of AmpCon-DC users.
If both the primary and the secondary TACACS+ servers are unreachable, you can use local users (global user or group user) to log in to the AmpCon-DC UI.

Procedure

To enable the TACACS+ integration, follow these steps:

In the AmpCon-DC UI, click System > User management.
Click TACACS+ Settings.
Click Enable to activate the TACACS+ service. The TACACS+ Settings pop-up window is displayed.

Enter the following information:

Parameter	Description

Parameter	Description
Enable	Enable or disable TACACS+ authentication and authorization.
Primary Server IP	The IP address of the primary TACACS+ server.
Secondary Server IP	Optional. The IP address of the backup TACACS+ server.
Server Key	The shared key of TACACS+. Note: The value of the Server Key field needs to be the same as the shared keys of the primary and secondary TACACS+ servers. The shared keys on both TACACS+ servers need to be the same.
Session Timeout	The TACACS+ connection timeout in seconds.
Auth Protocol	The authentication protocol type of TACACS+ including ASCII, PAP, or CHAP.
TACACS+ User Level Mapping	The mapping ranges for TACACS+ authorization. The configuration page displays the default mapping values. You can configure a custom range for mapping values. The values are integers that range from 0 to15. Notes: Don’t overlap any range with other ranges among different user levels. If the priv-lvl configuration of a user on the TACACS+ server is not found in the level-mapping configuration on AmpCon-DC, the user role level is mapped to Readonly.

Click OK.

Sample Configuration of Authorization Level on TACACS+ Server (Linux tac_plus)

For how to configure authorization levels on the TACACS+ server, see the following example:

user = leontest {
global = cleartext "abc"
service = AmpCon {
default attribute = permit
priv-lvl = 15
}
}

user = automation1 {
global = cleartext "automation"
service = AmpCon {
default attribute = permit
priv-lvl = 10
}
}

user = testtest {
global = cleartext "testtest"
service = AmpCon {
default attribute = permit
priv-lvl = 5
}
}

user = testpica8 {
global = cleartext "testpica8"
service = AmpCon {
default attribute = permit
priv-lvl = 1
}
}