Configuring tacacs+ server in Nodegrid
1. Overview
TACACS+ is a protocol that handles authentication, authorization, and accounting (AAA) services.
Follow these steps to add a tacacs+ server in the Nodegrid.
We will use for the test a NSCP (Nodegrid Serial Console Plus), and an Ubuntu Server (18.04) executing a tacacs+ server.
Diagram:
(1) and (4): Laptop accessing the Nodegrid (in https).
(2) and (3): Nodegrid passes the login request to TACACS+ server for authentication. The TACACS+ server determines whether to allow access to the Nodegrid, and with what level of privilege.
We will use for the test an Ubuntu Server (18.04) executing a tacacs+ server. Its tacacs configuration, as an example, is shown below:
We have defined 2 groups:
- tadmin, with privilege 15, containing one user: "joe".
- read, with privilege 1, containing one user: "gill".
You can check the syntax of the tacacs configuration, by typing: sudo service tacacs_plus check
Check the status of the tacacs+ server, by doing: systemctl status tacacs_plus (the status given should be in green color, in state "active").
Then, on the Nodegrid, configure as below:
2. In Web UI, using User Level:
Go to Security:: Authentication:: Servers, and select the Method "TACACS+" .
The fields Remote Server and Accounting Server correspond to the IP address of our Ubuntu Server. The Service, "raccess" has to match the one of the Tacacs+ server.
Enter and confirm the secret shared with the Tacacs+ server, and select the appropriate TACACS+ Version (usually "V1", when facing an Cisco ISE server):
Then, enable and fill-in the User-Level attribute association to the local groups:
In our case, we are matching:
- the tacacs+ admin group "tadmin" (of privilege 15), to the local Nodegrid admin group "admin".
- the tacacs+ admin group "read" (of privilege 1), to the local Nodegrid user group "Operator"
Visualization:
The
user added in the TACACS+ as joe will be able to login as shown in the
image below:
Configuration in CLI:
Login as admin in cli and type this commands,
[admin@nodegrid /]# add settings/authentication/servers/
[admin@nodegrid {servers}]# set fallback_if_denied_access=yes
[admin@nodegrid {servers}]# set method=tacacs+
[admin@nodegrid {servers}]# set remote_server=10.10.10.13
[admin@nodegrid {servers}]# set tacacs_plus_accounting_server=10.10.10.13
[admin@nodegrid {servers}]# set tacacs_plus_secret=secretkey
[admin@nodegrid {servers}]# set tacacs_plus_service=raccess
[admin@nodegrid {servers}]# set tacacs_plus_retries=2
[admin@nodegrid {servers}]# set tacacs_plus_timeout=2
[admin@nodegrid {servers}]# set tacacs_plus_version = v1
[admin@nodegrid {servers}]# set tacacs_plus_enable_user-level = yes
[admin@nodegrid {servers}]# set tacacs_plus_user_level_1 = Operator
[admin@nodegrid {servers}]# set tacacs_plus_user_level_15 = admin
Type show command to confirm your configuration
[admin@nodegrid {servers}]# show
Once you confirm the details, configuration needs to be saved
[admin@nodegrid {servers}]# commit
one will see the tacacs+ server added to the Nodegrid.
After typing set command one can tap tab key twice to see all the available option for configuration.
Note: Default authentication service is raccess ( can be changed as needed )
Default value for retries and timeout is 2 ( can be changed as needed )
Default port is 49
3. In Web UI and TACACS+, to provide group level to be used in Nodegrid OS:
You can map 2 distinct groups on your TACACS+ server, with the same level of privilege, to 2 distinct groups on the Nodegrid OS.
For that, go to In Security :: Authentication :: Servers :: 1, unselect the field “Enable User-Level attribute of Shell and raccess services association to local authorization group”.
On the TACACS+, server, add the attribute group_name in the groups:
In Security :: Authorization :: Network_Admin :: Remote Groups, in the Nodegrid groups add the said groups under “Remote Group”.
Related Articles
DHCP Server Lease Management
Nodegrid version 5.10.x provides better visibility into your DHCP network and offers a new feature ease management of your DHCP network. You can find these improvements under Tracking-->Network-->DHCP. The DHCP section here is now split between ...Nodegrid Manager Installation in ESXi 5
Nodegrid Manager software is installed from an ISO file. The installation procedure is a three-stage process: Creating a virtual machine; Booting from the ISO file in order to install the software; Restarting and booting from the newly created ...Nodegrid Manager Installation in ESXi 6
Nodegrid Manager software is installed from an ISO file. The installation procedure is a three-stage process: Creating a virtual machine; Booting from the ISO file in order to install the software; Restarting and booting from the newly created ...Configuring Data Logging from each port on Nodegrid to a Remote NFS Server
This article provides guidance on configuring data logging from managed devices to be stored on a remote NFS server. Data logs capture all information sent to and received from a device. 1. Enabling Data Logging for a Device This section explains ...Configuring OSPF Options On A Nodegrid Appliance & Neighbor Adjacency
Configuring OSPF Nodegrid Appliance & Neighbor Adjacency The Nodegrid OS uses FRR (Free Range Routing Suite) to implement routing protocols such as OSPF. FRR is a fully featured, high performance, free software IP routing suite. To enable OSPF ...