How to achieve AAA Authentication through TACACS + server on the switch

TACACS + encrypts the whole message, and the authentication and authorization can be separated. The username and password can be verified respectively, which is better than the security of radius. It is suitable for scenarios requiring high security.

Note: At present, 802.1X authentication of switch only supports the use with radius server. The functional configuration of TACACS + server only includes authentication and authorization, and the billing function can not be used.

Part 1. Build a simple TACACS + server on a Linux system

Step 1. TACACS+ installation

TACACS+ package is available in the Ubuntu repositories, enter the following command in root mode to install

apt-get install tacacs+

 

Step 2. TACACS+ configuration

Once that is installed, we proceed to configure the TACACS+ server to our needs. On a default installation, the configuration file is found here /etc/tacacs+/tac_plus.conf Open the file with your favorite editor and make changes as below.

vi /etc/tacacs+/tac_plus.conf

 

#Make this a strong key

key = tplink2021

 

# Using local PAM which allows us to use local Linux users

default authentication = file /etc/passwd

 

#Define groups that we shall add users to later

#In this example I have defined 3 groups and assign them respective privileges. Test1 is administrator privilege, test2 and test3 are user privilege, but test3 can obtain administrator privilege according to the set additional password. The password is automatically generated according to the command tac_pwd as below.

group = test1 {

    default service = permit

    service = exec {

    priv-lvl = 15

    }

}

group = test2 {

    default service = deny

    service = exec {

    priv-lvl = 1

    }

}

group = test3 {

default service = permit

login = file/etc/passwd

enable = Gbptgx46GpgrA

  service = exec {

  priv-lvl = 2

    }

}

 

#Defining my users and assigning them to groups above

user = manager {

member = test1

}

user = user1 {

member = test2

}

user = user2 {

member = test3

}

Priv-lvl has 15 levels and four different management permissions on the switch:

1~4：User permissions, which can only be viewed and set, cannot be edited and modified, and L3 features cannot be viewed

5~9: Super user permission, you can view, edit, and modify some functions, such as VLAN, HTTPS config, Ping, etc

10~14: Operator permissions. On the basis of super user permissions, you can also perform lag, MAC address, access control, SSH config and other functions

15: Administrator privileges, you can view, edit, and modify all functions

 

#Save and exit the edited file of tac_plus.conf, create relevant users and set passwords on Linux system.

adduser manager

adduser user1

adduser user2

 

Step 3. TACACS+ start

# Start listening to port 49, indicating that the startup is successful.

/etc/init.d/tacacs_plus start

Note: After each modification of the configuration file, restart the TACACS + server.

Part 2. Configurations on the switch

Taking the topology in the following figure as an example, the management interface of the login switch needs to be authenticated by TACACS + server to ensure the security of the network.

 

Step 1. Choose the menu SECURITY > AAA > TACACS+ Config and click Add to load the following page. Configure the Server IP as 192.168.0.100, the Shared Key as tplink2021, the Server Port as 49.

 

Step 2. Choose the menu SECURITY > AAA > Method Config and click in the Authentication Login Method Config section. Specify the Method List Name as default and select the Pri1 as tacacs.

Step 3. On the same page, click in the Authentication Enable Method Config. Specify the Method List Name as default and select the Pri1 as tacacs. Click Create to set the method list for the Enable password authentication

Case 1. All login switch management methods need to be authenticated by TACACS + server

Choose the menu SECURITY > AAA > Global Config to load the following page. In the AAA Application Config section, select all Modules the Login Method and Enable Method as default.

At this point, the configuration of the switch is completed. Neither HTTP nor TELNET can log in to the management interface with the default admin account through client.

 

 

Case 2. Except Telnet, all login switch management methods need to be authenticated by TACACS + server.

Choose the menu SECURITY > AAA > Method Config and click in both the Authentication Login Method Config section and Authentication Enable Method Config section. Specify the Method List Name as telnet and select the Pri1 as local in the both sections.

Choose the menu SECURITY > AAA > Global Config to load the following page. In the AAA Application Config, select the Module of telnet the Login Method and Enable Method as telnet.

At this point, you can use the default admin account to log in to the switch through telnet.

 

 

Case 3. When logging in with user authority, set an additional administrator password on the TACACS + server, and enter the set password in the interface below to upgrade from user authority to administrator authority.