Professional Documents
Culture Documents
April 2012
TABLE OF CONTENTS
1 SCOPE OF THIS DOCUMENT............................................................................................................3
2 TACACS+ ............................................................................................................................................3
2.1 INTRODUCTION TO TACACS+ .............................................................................................................. 3
2.2 TACACS+ VS RADIUS ....................................................................................................................... 4
2.3 TACACS+ SUPPORT IN ALTEON OS .................................................................................................... 4
2.3.1 Authentication ........................................................................................................................... 5
2.3.2 Authorization ............................................................................................................................. 5
2.3.3 Accounting ................................................................................................................................ 8
2.4 ALTEON TACACS+ CONFIGURATION.................................................................................................. 10
3 TESTING IN THE LAB ..................................................................................................................... 11
3.1 LAB DESCRIPTION .............................................................................................................................. 12
3.2 TACACS+ INSTALLATION AND BASIC CONFIGURATION ........................................................................ 12
3.3 ALTEON CONFIGURATION .................................................................................................................... 13
3.3.1 Authentication ......................................................................................................................... 15
3.3.2 Authorization ........................................................................................................................... 17
3.3.3 Accounting .............................................................................................................................. 19
3.3.4 References .............................................................................................................................. 19
4 APPENDIX A ALTEON OS SYSTEM USER ACCOUNTS AND ACCESS LEVEL ..................... 20
5 APPENDIX B ALTEON CONFIGURATION FILE ......................................................................... 21
6 APPENDIX C TACACS+ SERVER CONFIGURATION FILES ..................................................... 23
6.1 TACPLUS.XML ..................................................................................................................................... 23
6.2 CLIENTS.XML ...................................................................................................................................... 24
6.3 AUTHENTICATION.XML......................................................................................................................... 27
6.4 AUTHORIZATION.XML .......................................................................................................................... 35
2 TACACS+
TACACS+ is a Cisco Systems proprietary protocol which provides access control for
routers, network access servers and other networked computing devices via one or more
centralized servers. TACACS+ provides separate authentication, authorization and
accounting services.
TACACS+ is an entirely new protocol, based on TACACS (RFC 1492) but incompatible
with any previous version of TACACS. TACACS+ improves on TACACS and XTACACS by
separating the authentication, authorization and accounting functions, and by encrypting all
traffic between the network-attached storage (NAS) and the daemon. It allows for arbitrary
length and content authentication exchanges which will allow any authentication
mechanism to be utilized with TACACS+ clients.
TACACS+ is extensible for site customization and future development features. The
protocol allows the TACACS+ client to request very fine-grained access control and allows
the daemon to respond to each component of that request.
The separation of authentication, authorization and accounting is a fundamental component
of the TACACS+ design. The distinction between the features is very important and this
document will address each one separately. It is important to note that TACACS+ supports
these features, but an implementation or configuration is not required to employ all three.
The features each serve a unique purpose, and can be quite powerful in combination. A
very important benefit of separating authentication from authorization is that authorization
(and per-user profiles) can be a dynamic process. Instead of a one- shot user profile,
TACACS+ can be integrated with other negotiations, such as a PPP negotiation, for far
greater flexibility. The accounting portion can serve to provide security auditing or
accounting and billing services.
TACACS+ uses TCP for its transport to ensure reliable delivery. The daemon should listen
on port 49 which is the "LOGIN" port assigned for the TACACS protocol. This port is
reserved in the assigned numbers RFC for both UDP and TCP. Current TACACS and
extended TACACS implementations use port 49.
RADIUS TACACS+
Combines authentication & authorization Separates all 3 elements of AAA, making
it more flexible
Encrypts only the password Encrypts the username and password
Requires each network device to contain Central management for authorization
authorization configuration configuration
No command logging Full command logging
Minimal vendor support for authorization Supported by most major vendors
UDP Connectionless (Ports 1645/1646, TCP Connection oriented (Port 49)
Authentication is the action of determining the identity of a user, and is generally done when
the user first attempts to log in to a device or gain access to its services.
Figure 1 shows the authentication process.
2.3.2 Authorization
Authorization is the action of determining a user's privileges on the device, and usually
takes place after authentication. The mapping between TACACS+ authorization levels and
Alteon Application Switch operating system management access levels is shown in the
following tables:
Local commands are either a sub-menu or a leaf node in the local command tree. For
command authorization the following rules are applied:
1. Only the leaf node commands are sent to TACACS+ servers for authorization.
2. Only the leaf node commands are sent to TACACS+ servers for authorization.
3. Only the command itself is sent for authorization. Command arguments are not
sent.
4. Only valid commands are sent for authorization. Invalid commands (such as a
mistyped command) are filtered by the Alteon CLI scheme and are not sent.
5. Authorization is performed on a per command basis.
6. A command is sent for authorization with its full path.
7. The command authorization process runs slowly on the TACACS+ server. If a user
issues more than a few commands simultaneously, data and connections may be
lost.
8. Command authorization is performed only in terminal mode of a
Console/Telnet/SSH connection. No command authorization occurs for
configuration changes performed via SNMP, the Web user interface, or file copying
such as TFTP, SCP or sync (/oper/slb/sync).
2.3.3 Accounting
Accounting is the action of recording a user's activities on the device for the purposes of
billing and/or security. It follows the authentication and authorization actions. If
authentication and authorization is not performed via TACACS+, no TACACS+ accounting
messages are sent.
Whenever a CLI command is successfully executed, an accounting message is created and
sent to the TACACS+ server. The attributes provided for the TACACS+ accounting are:
protocol (console/telnet/ssh/http)
start_time (in seconds, since 12am 1-1-1970)
stop_time (in seconds, since 12am 1-1-1970)
elapsed_time (in seconds)
disc-cause (a string)
In addition to the previous attributes, the and accounting attributes are also
supported for command logging.
Logging of global commands uses the same rules described for authorization.
For example, if the following commands are issued for command logging:
NOTE: Sub-menu commands with arguments (for example, /cfg/l3/if 1) are also sent for
command logging so that there is a record of executed commands. This is not done for
authorization.
After downloading the TACACS+ software, run the executable file and follow the
instructions in the wizard to install TACACS+ on your Windows system. During setup, you
must provide the secret used for communicating with the Alteon device. In the lab, the
secret is radware.
For full details of the initial test, read the Quickstart Setup Guide
(http://tacacs.net/docs/TACACS.net_quickstart.pdf).
To configure the server in the lab, access the tacplus.xml, clients.xml, authentication.xml
and authorization.xml configuration files located under Windows 7 at
%ALLUSERSPROFILE%\Application data\TACACS.net\config.
The configuration files are included in Appendix C TACACS+ Server Configuration Files.
tacplus.xml is the global configuration file for the TACACS+ server. In this lab,
only the IP address at which the server accepts connections has been modified
<LocalIP>192.168.1.220</LocalIP>
clients.xml is the configuration file for TACACS+ clients. Within this file you can
define the device that is authorized to make a request to the TACACS+ server. In
this lab, there are no modifications in this file as, by default, it has defined the
necessary private IP address ranges.
authentication.xml is the configuration file for Authentication Groups. In this lab,
the file has been modified to create 10 groups and to map them with Alteon users.
Table 5 summarizes the groups and users created in this file.
This section explains the configuration of the Alteon device related to TACACS+.
NOTE: This document assumes familiarity with Alteon CLI, so not all the steps are
documented.
Here is the pre configuration. Table 6 explains the Alteon TACACS-related configuration
options.
3.3.1 Authentication
Once the configuration is complete, it is possible to start using the TACACS+ server to
authenticate users and to log every command executed at the device.
Figure 3 shows the authentication process for a user called oper.
This sample shows privileges for the authenticated user on the TACACS+ server. The last
line shows the privilege level assigned to the user that matches the oper profile.
The device reports that the authentication has failed (using the same error message as in
cases where the user name is correct but the password is wrong). In this case, the status of
the operation requested is failed. In the server log we see:
3.3.2 Authorization
The second and third lines allow the user to execute the commands, but the fourth line
blocks any other command related to filters.
The following error message displays when user jcc tries to remove a filter after the
administrator has configured the restriction on doing so:
3.3.3 Accounting
This section describes the accounting process is analyzed. User oper is logged into the
device and executes the command. This is the accounting information
stored on the server:
3.3.4 References
© 2009 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered
trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective
owners. Printed in the U.S.A