Reference Guide

April 2012
 TABLE OF CONTENTS
1 SCOPE OF THIS DOCUMENT............................................................................................................3
2 TACACS+ ............................................................................................................................................3
2.1 INTRODUCTION TO TACACS+ .............................................................................................................. 3
2.2 TACACS+ VS RADIUS ....................................................................................................................... 4
2.3 TACACS+ SUPPORT IN ALTEON OS .................................................................................................... 4
2.3.1 Authentication ........................................................................................................................... 5
2.3.2 Authorization ............................................................................................................................. 5
2.3.3 Accounting ................................................................................................................................ 8
2.4 ALTEON TACACS+ CONFIGURATION.................................................................................................. 10
3 TESTING IN THE LAB ..................................................................................................................... 11
3.1 LAB DESCRIPTION .............................................................................................................................. 12
3.2 TACACS+ INSTALLATION AND BASIC CONFIGURATION ........................................................................ 12
3.3 ALTEON CONFIGURATION .................................................................................................................... 13
3.3.1 Authentication ......................................................................................................................... 15
3.3.2 Authorization ........................................................................................................................... 17
3.3.3 Accounting .............................................................................................................................. 19
3.3.4 References .............................................................................................................................. 19
4 APPENDIX A ALTEON OS SYSTEM USER ACCOUNTS AND ACCESS LEVEL ..................... 20
5 APPENDIX B ALTEON CONFIGURATION FILE ......................................................................... 21
6 APPENDIX C TACACS+ SERVER CONFIGURATION FILES ..................................................... 23
6.1 TACPLUS.XML ..................................................................................................................................... 23
6.2 CLIENTS.XML ...................................................................................................................................... 24
6.3 AUTHENTICATION.XML......................................................................................................................... 27
6.4 AUTHORIZATION.XML .......................................................................................................................... 35

Radware TACACS+ in Alteon Reference Guide

Page 2
1 Scope of this Document
As a network administrator, you need to maintain complete control of your network devices,
such as routers, switches, and firewalls. You also understand how Single Sign-On (SSO)
simplifies network management and increases network security.
The TACACS+ protocol (Terminal Access Controller Access-Control System Plus) is used
for administrator access to network devices.
This document describes how to integrate Alteon devices with a TACACS+ server for
network device management.

2 TACACS+

TACACS+ is a Cisco Systems proprietary protocol which provides access control for
routers, network access servers and other networked computing devices via one or more
centralized servers. TACACS+ provides separate authentication, authorization and
accounting services.
TACACS+ is an entirely new protocol, based on TACACS (RFC 1492) but incompatible
with any previous version of TACACS. TACACS+ improves on TACACS and XTACACS by
separating the authentication, authorization and accounting functions, and by encrypting all
traffic between the network-attached storage (NAS) and the daemon. It allows for arbitrary
length and content authentication exchanges which will allow any authentication
mechanism to be utilized with TACACS+ clients.
TACACS+ is extensible for site customization and future development features. The
protocol allows the TACACS+ client to request very fine-grained access control and allows
the daemon to respond to each component of that request.
The separation of authentication, authorization and accounting is a fundamental component
of the TACACS+ design. The distinction between the features is very important and this
document will address each one separately. It is important to note that TACACS+ supports
these features, but an implementation or configuration is not required to employ all three.
The features each serve a unique purpose, and can be quite powerful in combination. A
very important benefit of separating authentication from authorization is that authorization
(and per-user profiles) can be a dynamic process. Instead of a one- shot user profile,
TACACS+ can be integrated with other negotiations, such as a PPP negotiation, for far
greater flexibility. The accounting portion can serve to provide security auditing or
accounting and billing services.
TACACS+ uses TCP for its transport to ensure reliable delivery. The daemon should listen
on port 49 which is the "LOGIN" port assigned for the TACACS protocol. This port is
reserved in the assigned numbers RFC for both UDP and TCP. Current TACACS and
extended TACACS implementations use port 49.

Radware TACACS+ in Alteon Reference Guide

Page 3
 RADIUS and TACACS+ are the main protocols typically used to provide authentication,
authorization, and accounting (AAA) services on network devices. RADIUS was designed
to authenticate and log dial- up remote users to a network, and TACACS+ is used most
commonly for administrator access to network devices like routers and switches.
Table 1 summarizes the major differences between RADIUS and TACACS+:

Table 1: Major differences between RADIUS and TACACS+

RADIUS
Combines authentication & authorization
Encrypts only the password
Requires each network device to contain
authorization configuration
No command logging
Minimal vendor support for authorization
UDP Connectionless (Ports 1645/1646,
TACACS+
Separates all 3 elements of AAA, making
it more flexible
Encrypts the username and password
Central management for authorization
configuration
Full command logging
Supported by most major vendors
TCP Connection oriented (Port 49)

Alteon Application Switch Operating System supports authentication, authorization and

accounting with networks using the Cisco Systems TACACS+ protocol. The Alteon
Application Switch functions as the Network Access Server by interacting with the remote
client and initiating authentication and authorization sessions with the TACACS+ access
server. The remote user is defined for management access to the Alteon Application Switch
either through a data or management port.

Radware TACACS+ in Alteon Reference Guide

Page 4
 2.3.1 Authentication

Authentication is the action of determining the identity of a user, and is generally done when
the user first attempts to log in to a device or gain access to its services.
Figure 1 shows the authentication process.

Figure 1: Authentication Process

The Alteon operating system supports the standard ASCII inbound login.
These options are not supported by Alteon:
PAP, CHAP and ARAP login methods
TACACS+ change password requests
One-time password authentication
NOTE: The TACACS+ daemon may reply to the authentication request with the status set
to TAC_PLUS_AUTHEN_STATUS_FOLLOW, indicating that the NAS should perform
authentication with an alternate daemon.

2.3.2 Authorization

Authorization is the action of determining a user's privileges on the device, and usually
takes place after authentication. The mapping between TACACS+ authorization levels and
Alteon Application Switch operating system management access levels is shown in the
following tables:

Table 2: Disabled privilege level mapping (/cfg/sys/tacacs/cmap/d)

Alteon OS System User Access Level TACACS+ Level

user 0
slboper 1
l4oper 2
oper 3
slbadmin 4

Radware TACACS+ in Alteon Reference Guide

Page 5
 Alteon OS System User Access Level TACACS+ Level
l4admin 5
admin 6
crtadmin 7
slbadmin+crtmng 8
l4admin+crtmng 9

Table 3: Enabled privilege level mapping (/cfg/sys/tacacs/cmap/ena)

Alteon OS System User Access Level TACACS+ Level

user 0,1
slboper 2,3
l4oper 4,5
oper 6,7,8
slbadmin 9,10,11
l4admin 12,13
admin 14,15
crtadmin 16,17
slbadmin+crtmng 18,19,20
l4admin+crtmng 21,22
The Alteon operating system includes global and local commands.
Global commands are universal; they do not depend on the current position in the tree and
can be issued anywhere. Global commands are usually not configuration- related, except
diff, apply, save and revert.
Local commands are arranged in a tree structure. The function of a local command
depends upon the position of the tree in which the command is executed. Local commands
are usually configuration- or operation-related.

These are the available global commands:

Radware TACACS+ in Alteon Reference Guide

Page 6
The following are used to navigate the menu structure:
. Print current menu
.. Move up one menu level
/ Top menu if first, or command separator
! Execute command from history
Only the , , , , , and commands
perform TACACS+ authorization and logging. The rest of the global commands are used to
navigate the menu (tree) structure, to provide help on commands, and to modify the display
format of a command output. There is no command authorization and logging performed for
those commands. When a command needs to be authorized or logged, both the command
itself and its first argument will be sent to the TACACS+ server.
For example, if the following commands are issued for command authorization:

the following authorization requests will be sent out:

Local commands are either a sub-menu or a leaf node in the local command tree. For
command authorization the following rules are applied:
1. Only the leaf node commands are sent to TACACS+ servers for authorization.
2. Only the leaf node commands are sent to TACACS+ servers for authorization.
3. Only the command itself is sent for authorization. Command arguments are not
sent.
4. Only valid commands are sent for authorization. Invalid commands (such as a
mistyped command) are filtered by the Alteon CLI scheme and are not sent.
5. Authorization is performed on a per command basis.
6. A command is sent for authorization with its full path.
7. The command authorization process runs slowly on the TACACS+ server. If a user
issues more than a few commands simultaneously, data and connections may be
lost.
8. Command authorization is performed only in terminal mode of a
Console/Telnet/SSH connection. No command authorization occurs for
configuration changes performed via SNMP, the Web user interface, or file copying
such as TFTP, SCP or sync (/oper/slb/sync).

Radware TACACS+ in Alteon Reference Guide

Page 7
 9. Commands are introduced in the cmd-arg field. A fixed cfgtree value is used in the
cmd field.
For example, if the following commands are issued for command authorization:

the following authorization requests will be sent out:

2.3.3 Accounting

Accounting is the action of recording a user's activities on the device for the purposes of
billing and/or security. It follows the authentication and authorization actions. If
authentication and authorization is not performed via TACACS+, no TACACS+ accounting
messages are sent.
Whenever a CLI command is successfully executed, an accounting message is created and
sent to the TACACS+ server. The attributes provided for the TACACS+ accounting are:
protocol (console/telnet/ssh/http)
start_time (in seconds, since 12am 1-1-1970)
stop_time (in seconds, since 12am 1-1-1970)
elapsed_time (in seconds)
disc-cause (a string)
In addition to the previous attributes, the and accounting attributes are also
supported for command logging.

Logging of global commands uses the same rules described for authorization.
For example, if the following commands are issued for command logging:

the following accounting requests are sent out:

Radware TACACS+ in Alteon Reference Guide

Page 8
For command logging the following rules are applied:
10. Only the leaf nodes of the local command tree and those sub-menu nodes which
have arguments are sent for command logging.
11. Command logging is performed on a per command basis.
12. Both the command and its first argument are sent to TACACS+ servers for logging.
13. Only valid commands are sent for logging. Invalid commands (such as a mistyped
command) are filtered by the Alteon CLI scheme and are not sent.
14. A command is sent for logging with its full path.
15. The command logging process runs slowly on the TACACS+ server. If a user
issues more than a few commands simultaneously, data and connections may be
lost.
16. Command logging is performed only in terminal mode of a Console/Telnet/SSH
connection. No command logging occurs for configuration changes performed via
SNMP, the Web user interface, or file copying such as TFTP, SCP or sync
(/oper/slb/sync).
For example, if the following commands are issued for command logging:

the following accounting requests are sent out:

NOTE: Sub-menu commands with arguments (for example, /cfg/l3/if 1) are also sent for
command logging so that there is a record of executed commands. This is not done for
authorization.

Radware TACACS+ in Alteon Reference Guide

Page 9
 This section describes the TACACS+ configuration menu.
Table 4 lists TACACS+ server menu options (/cfg/sys/tacacs) taken from the Alteon
Application Switch Operating System Command Reference manual.

Table 4: TACACS+ server menu options

Command Syntax and Usage

prisrv <IP address>
Defines the primary TACACS+ server address.
secsrv <IP address>
Defines the secondary TACACS+ server address.
secret <1-32 character secret>
This is the shared secret between the switch and the primary TACACS+
servers.
port <TACACS+ port configure, default 49>
Enter the number of the TCP port to be configured, between 1 and 65000. The
default is 49.
retries <TACACS+ server retries, 1-3>
Sets the number of failed authentication requests before switching to a different
TACACS+ server. The default is 3 requests.
timeout <TACACS+ server timeout seconds, 1-15>
Sets the amount of time, in seconds, before a TACACS+ server authentication
attempt is considered to have failed. The default is 4 seconds.
secbd disable|enable
Enables or disables TACACS+ secure backdoor access. This when enabled
indicates the access in the absence of TACACS+ servers.
NOTE: This option is only valid for serial console and credentials for allowing
access are: username=notacacs; password=admin password.
cmap disable|enable
Enable/disable TACACS+ new privilege level mapping. When enabled, this
increases privilege level from default 0-9 to 0-22.
cauth disable|enable
Enable/disable TACACS+ command authorization.
clog disable|enable
Enable/disable TACACS+ command logging. When enabled, the Application
Switch sends command log messages to the TACACS+ server.

Radware TACACS+ in Alteon Reference Guide

Page 10
 Command Syntax and Usage
on
Enables the TACACS+ server
off
Disables the TACACS+ server
cur
Displays current TACACS+ configuration parameters.

3 Testing in the Lab

In this section we test the TACACS+ configuration in Alteon.
Figure 2 shows the network diagram used in this lab.

Figure 2: Network Diagram

Radware TACACS+ in Alteon Reference Guide

Page 11
 The elements used in the lab are:
1 Alteon ODS-VL with software version 27.0.1.0
1 PC acting as a client for management purposes. The SecureCRT Telnet/SSH
client is used.
Server with TACACS+ daemon running, using TACACS.net v1 software (available
from http://tacacs.net/download.asp) under Windows7.

After downloading the TACACS+ software, run the executable file and follow the
instructions in the wizard to install TACACS+ on your Windows system. During setup, you
must provide the secret used for communicating with the Alteon device. In the lab, the
secret is radware.
For full details of the initial test, read the Quickstart Setup Guide
(http://tacacs.net/docs/TACACS.net_quickstart.pdf).
To configure the server in the lab, access the tacplus.xml, clients.xml, authentication.xml
and authorization.xml configuration files located under Windows 7 at
%ALLUSERSPROFILE%\Application data\TACACS.net\config.
The configuration files are included in Appendix C TACACS+ Server Configuration Files.
tacplus.xml is the global configuration file for the TACACS+ server. In this lab,
only the IP address at which the server accepts connections has been modified
<LocalIP>192.168.1.220</LocalIP>
clients.xml is the configuration file for TACACS+ clients. Within this file you can
define the device that is authorized to make a request to the TACACS+ server. In
this lab, there are no modifications in this file as, by default, it has defined the
necessary private IP address ranges.
authentication.xml is the configuration file for Authentication Groups. In this lab,
the file has been modified to create 10 groups and to map them with Alteon users.
Table 5 summarizes the groups and users created in this file.

Table 5: Groups and users in the authenticaton.xml file

Alteon OS System TACACS+ Group Username/Password

User Access Level
user user user/user
slboper slboper slboper/slboper
l4oper l4oper l4oper/l4oper
oper oper oper/oper

Radware TACACS+ in Alteon Reference Guide

Page 12
 Alteon OS System TACACS+ Group Username/Password
User Access Level
slbadmin slbadmin slbadmin/slbadmin
l4admin l4admin l4admin/l4admin; jcc/jcc
admin admin admin/admin
crtadmin crtadmin crtadmin/crtadmin
slbadmin+crtmng slbcrtadmin slbcrtadmin/slbcrtadmin
l4admin+crtmng l4crtadmin l4crtadmin/l4crtadmin
authorization.xml is the configuration file where the servers read the permissions
assigned to each group and apply them to the request coming from clients. In this
lab, this file has been modified to create different Authorization sections for each
of the groups listed in Table 5. Here is a sample from the file:

This section explains the configuration of the Alteon device related to TACACS+.
NOTE: This document assumes familiarity with Alteon CLI, so not all the steps are
documented.
Here is the pre configuration. Table 6 explains the Alteon TACACS-related configuration
options.

Radware TACACS+ in Alteon Reference Guide

Page 13
Table 6: Alteon TACACS-related configuration options

Command Syntax and Usage

prisrv <IP address>
Defines the primary TACACS+ server address.
esecret
The radware shared secret. In the dump of the configuration this is always
displayed encrypted for security reasons.
on
Enables the feature. Ensure that the TACACS+ server is up and running and is
connected with the Alteon device before applying changes. You can log in to
the device if the command is applied.
secbd disable|enable
Enables or disables the ability to log into the Alteon device using the serial
console if the device has connection problems with the TACACS+ server.
cmap disable|enable
Enables or disables the Alteon device to use the new privilege level mapping.
cauth disable|enable
Enables or disables TACACS+ command authorization. When disabled, an
authenticated user can execute any command associated with his or her
mapped access level. When enabled, the Alteon device asks the TACACS+
server for authorization to execute a given command. In this lab, the option is
enabled.
clog disable|enable
Enables or disables TACACS+ command logging. When enabled the Alteon
device sends information to be logged in the accounting module of the
TACACS+ server.

Radware TACACS+ in Alteon Reference Guide

Page 14
 The rest of the menu options have not been modified, so the current configuration is as
follows:

3.3.1 Authentication

Once the configuration is complete, it is possible to start using the TACACS+ server to
authenticate users and to log every command executed at the device.
Figure 3 shows the authentication process for a user called oper.

Figure 3: Authentication process

Notice that in this case the login has been replaced with the text Enter tacacs username.

Radware TACACS+ in Alteon Reference Guide

Page 15
By default, the server logs all information at
%ALLUSERSPROFILE%\ProgramData\TACACS.net\Logs\ . Sample
sections of this file are shown below.
This sample shows the packets sent and received for this login on the TACACS+ server:

This sample shows privileges for the authenticated user on the TACACS+ server. The last
line shows the privilege level assigned to the user that matches the oper profile.

This sample shows a user name error:

The device reports that the authentication has failed (using the same error message as in
cases where the user name is correct but the password is wrong). In this case, the status of
the operation requested is failed. In the server log we see:

Radware TACACS+ in Alteon Reference Guide

Page 16
 Note: Alteon doesn't support TACACS response for authentication if the response is
fragmented

3.3.2 Authorization

In this lab, the authorization mechanism is enabled using the command .

For each command executed by the user, an authorization request is sent to the TACACS+
server. In this example, a user called jcc is logged in to the device and executes the
command.
Alteon sends a request for authorization with the arguments of the command entered by
jcc. The TACACS+ server verifies the request against the rules for this group of users and
authorizes the request.

Radware TACACS+ in Alteon Reference Guide

Page 17
The next example illustrates the use of restrictions for specific commands. The restriction is
required if the administrator wants to restrict a user from modifying, enabling or disabling a
filter. In this case the authorization.xml file on the TACACS+ servers is modified with these
lines:

The second and third lines allow the user to execute the commands, but the fourth line
blocks any other command related to filters.
The following error message displays when user jcc tries to remove a filter after the
administrator has configured the restriction on doing so:

This is the information on the TACACS+ server:

Radware TACACS+ in Alteon Reference Guide

Page 18
 The TACACS+ server does not authorize the Alteon request because the command
matches the regular expression that it is not allowed.
NOTE: Because this command is not authorized, no accounting information is saved, and
there is no record that the user has tried to execute the command.

3.3.3 Accounting

This section describes the accounting process is analyzed. User oper is logged into the
device and executes the command. This is the accounting information
stored on the server:

3.3.4 References

1. Alteon Application Switch Command Reference

2. Alteon Application Switch Application Guide 27.0

Radware TACACS+ in Alteon Reference Guide

Page 19
4 Appendix A Alteon OS System User Accounts and
Access Level
Table 7 lists the user accounts that can be defined on the TACACS+ server or for defining
Class of Service for the End User Access Control feature.

Table 7: User accounts and passwords

User Account Description and Tasks Performed Password

User Has no direct responsibility for switch user
management. He/she can view all switch
status information and statistics but cannot
make any configuration changes to the switch.
SLB Viewer Can view switch information, and SLB slbview
statistics and information but cannot make any
configuration changes to the switch.
SLB Operator Manages content servers and other Internet slboper
services and their loads. Can view all switch
information and statistics, and enable/disable
servers using the SLB operation menu.
Available to the vADC administrator only.
Layer 1 Operator Allows the user to display information related l1oper
to Layer 1 parameters such as LACP and link
information.
Layer 2 Operator Allows the user to display information related l2oper
to Layer 2, such as routing and ARP.
Layer 3 Operator Allows the user to display information related l3oper
to Layer 3. Available to the vADC
administrator only.
Layer 4 Operator Manages traffic on the lines leading to the l4oper
shared Internet services. This user currently
has the same access level as the SLB
operator. This level is reserved for future use,
to provide access to operational commands
for operators managing traffic on the line
leading to the shared Internet services.
Available to the vADC administrator only.
Operator Manages all functions of the switch. In oper
addition to SLB Operator functions, the
Operator can reset ports.

Radware TACACS+ in Alteon Reference Guide

Page 20
 User Account Description and Tasks Performed Password
SLB Administrator Configures and manages content servers and slbadmin
other Internet services and their loads. In
addition to SLB Operator functions, can
configure parameters on the SLB menus, with
the exception of not being able to configure
filters or bandwidth management. Available to
the vADC administrator only.
Layer 3 Manages Layer 3 features. Available to the l3admin
Administrator vADC administrator only.
Layer 4 Configures and manages traffic on the lines l4admin
Administrator leading to the shared Internet services. In
addition to SLB Administrator functions, can
configure all parameters on the SLB menus,
including filters and bandwidth management.
Available to the vADC administrator only.
Administrator Has complete access to all menus, admin
information, and configuration commands on
the switch, including the ability to change both
the user and administrator passwords.
Certificate Has full access to the Certificate Repository No default
Administrator menu (/cfg/slb/ssl/certs), including the ability password
to view, import/export, create, update, and
decrypt the SSLdump capture, and standard
user privileges
Unlike other user accounts, there is no default
user
called crtadmin and there is no default
password.
A Certificate Administrator user can only log in
after the Administrator defines a user with
certificate administrator privileges.

5 Appendix B Alteon Configuration File

This section illustrates the Alteon configuration file used during the lab.

Radware TACACS+ in Alteon Reference Guide

Page 21
Radware TACACS+ in Alteon Reference Guide
Page 22
6 Appendix C TACACS+ Server Configuration Files
This section includes the four TACACS+ configuration files used during the lab.

Radware TACACS+ in Alteon Reference Guide

Page 23
Radware TACACS+ in Alteon Reference Guide
Page 24
Radware TACACS+ in Alteon Reference Guide
Page 25
Radware TACACS+ in Alteon Reference Guide
Page 26
Radware TACACS+ in Alteon Reference Guide
Page 27
Radware TACACS+ in Alteon Reference Guide
Page 28
Radware TACACS+ in Alteon Reference Guide
Page 29
Radware TACACS+ in Alteon Reference Guide
Page 30
Radware TACACS+ in Alteon Reference Guide
Page 31
Radware TACACS+ in Alteon Reference Guide
Page 32
Radware TACACS+ in Alteon Reference Guide
Page 33
Radware TACACS+ in Alteon Reference Guide
Page 34
Radware TACACS+ in Alteon Reference Guide
Page 35
Radware TACACS+ in Alteon Reference Guide
Page 36
Radware TACACS+ in Alteon Reference Guide
Page 37
Radware TACACS+ in Alteon Reference Guide
Page 38
Radware TACACS+ in Alteon Reference Guide
Page 39
Radware TACACS+ in Alteon Reference Guide
Page 40
Radware TACACS+ in Alteon Reference Guide
Page 41
 North America International
Radware Inc. Radware Ltd.
575 Corporate Drive 22 Raoul Wallenberg St.
Mahwah, NJ 07430 Tel Aviv 69710, Israel
Tel: +1-888-234-5763 Tel: 972 3 766 8666

© 2009 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered
trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective
owners. Printed in the U.S.A

Radware TACACS+ in Alteon Reference Guide

Page 42