Configuring tacacs+ server in Nodegrid

1. Overview

TACACS+ is a protocol that handles authentication, authorization, and accounting (AAA) services. 

Follow these steps to add a tacacs+ server in the Nodegrid.

We will use for the test a NSCP (Nodegrid Serial Console Plus), and an Ubuntu Server (18.04) executing a tacacs+ server.

Diagram: 

(1) and (4): Laptop accessing the Nodegrid (in https).

(2) and (3): Nodegrid passes the login request to TACACS+ server for authentication. The TACACS+ server determines whether to allow access to the Nodegrid, and with what level of privilege.

We will use for the test an Ubuntu Server (18.04) executing a tacacs+ server. Its tacacs configuration, as an example, is shown below: 

We have defined 2 groups: 

- tadmin, with privilege 15, containing one user: "joe". 

- read, with privilege 1, containing one user: "gill". 

You can check the syntax of the tacacs configuration, by typing: sudo service tacacs_plus check

Check the status of the tacacs+ server, by doing: systemctl status tacacs_plus (the status given should be in green color, in state "active"). 

Then, on the Nodegrid, configure as below: 

2. In Web UI, using User Level:

Go to Security:: Authentication:: Servers, and select the Method "TACACS+" .

The fields Remote Server and Accounting Server correspond to the IP address of our Ubuntu Server. The Service, "raccess" has to match the one of the Tacacs+ server. 

Enter and confirm the secret shared with the Tacacs+ server, and select the appropriate TACACS+ Version (usually "V1", when facing an Cisco ISE server):  

Then, enable and fill-in the User-Level attribute association to the local groups: 

In our case, we are matching:

- the tacacs+ admin group "tadmin" (of privilege 15), to the local Nodegrid admin group "admin". 

- the tacacs+ admin group "read" (of privilege 1), to the local Nodegrid user group "Operator"

Visualization:

The user added in the TACACS+ as joe will be able to login as shown in the image below: 

Configuration in CLI:

Login as admin in cli and type this commands,

   [admin@nodegrid /]# add settings/authentication/servers/

   [admin@nodegrid {servers}]# set fallback_if_denied_access=yes

   [admin@nodegrid {servers}]# set method=tacacs+

   [admin@nodegrid {servers}]# set remote_server=10.10.10.13

   [admin@nodegrid {servers}]# set tacacs_plus_accounting_server=10.10.10.13

   [admin@nodegrid {servers}]# set tacacs_plus_secret=secretkey

   [admin@nodegrid {servers}]# set tacacs_plus_service=raccess 

   [admin@nodegrid {servers}]# set tacacs_plus_retries=2

   [admin@nodegrid {servers}]# set tacacs_plus_timeout=2

   [admin@nodegrid {servers}]# set tacacs_plus_version = v1

   [admin@nodegrid {servers}]# set tacacs_plus_enable_user-level = yes

   [admin@nodegrid {servers}]# set tacacs_plus_user_level_1 = Operator

   [admin@nodegrid {servers}]# set tacacs_plus_user_level_15 = admin

Type show command to confirm your configuration

   [admin@nodegrid {servers}]# show

Once you confirm the details, configuration needs to be saved

   [admin@nodegrid {servers}]# commit

one will see the tacacs+ server added to the Nodegrid.

After typing set command one can tap tab key twice to see all the available option for configuration.

 Note: Default authentication service is raccess ( can be changed as needed )

           Default value for retries and timeout is 2 ( can be changed as needed )

           Default port is 49

3. In Web UI and TACACS+, to provide group level to be used in Nodegrid OS:

You can map 2 distinct groups on your TACACS+ server, with the same level of privilege, to 2 distinct groups on the Nodegrid OS. 

For that, go to In Security :: Authentication :: Servers :: 1, unselect the field “Enable User-Level attribute of Shell and raccess services association to local authorization group”. 

On the TACACS+, server, add the attribute group_name in the groups: 

In Security :: Authorization :: Network_Admin :: Remote Groups, in the Nodegrid groups add the said groups under “Remote Group”. 

• Related Articles

• Steps to Secure Nodegrid

  The attached document describes the recommended security settings for your Nodegrid before connecting it to the network.

• How to Configure the NodeGrid to Be More Secure?

  As far as the NodeGrid software's networking services, it comes with some security in mind, but it still is not as closed as some network policies require. This can be accomplished by changing the services settings in Security :: Services page per ...

• DHCP Server Lease Management

  Nodegrid version 5.10.x provides better visibility into your DHCP network and offers a new feature ease management of your DHCP network. You can find these improvements under Tracking-->Network-->DHCP. The DHCP section here is now split between ...

• Nodegrid Manager Installation in ESXi 5

  Nodegrid Manager software is installed from an ISO file. The installation procedure is a three-stage process:  Creating a virtual machine; Booting from the ISO file in order to install the software; Restarting and booting from the newly created ...

• Nodegrid Manager Installation in ESXi 6

  Nodegrid Manager software is installed from an ISO file. The installation procedure is a three-stage process:  Creating a virtual machine; Booting from the ISO file in order to install the software; Restarting and booting from the newly created ...