The following section shows the steps required to configure TACACS+ on Identity Engines
Ignition Server, Release 8.0. Use the preceding information to configure the switch.
A TACACS+ server responds to and audits network access requests. In an installation, the
Identity Engines Ignition Server is the TACACS+ server.
The example displays how to do the following:
-
Enable TACACS+
-
Configure a user
-
Create a command set
-
Configure the authentication protocol policy
-
Create the authorization policy
-
Configure TACACS+ authenticators
For more information on the Ignition Server, see Identity Engines Ignition Server
Administration.
Before you begin
-
Configure the Ignition Server appliance and set up its network settings. For more
information, see Identity Engines
Ignition Server Getting Started.
-
Install the Ignition Dashboard on your Windows OS.
-
Configure each authenticator (switch) to recognize the Ignition Server appliance as
its TACACS+ server.
-
Configure your switch to send packets to the Ignition Server appliance with the
appropriate IP address and port.
-
Ensure licenses are up-to-date.
Procedure
-
If the Ignition Server Dashboard is not
connected to your Ignition Server, select Administration: Login to
connect.
-
The default login credentials for
User Name and
Password are
admin/admin. change the default values.
-
In the Connect to field enter
the IP address of the Ignition Server for TACACS+. In this example, the IP address for
the TACACS+ server is 192.0.2.8.
-
Enable TACACS+.
-
In the Ignition Server Dashboard,
select Site
0.
-
In the Sites window, select the
Services
tab.
-
Under the Services tab, select
the TACACS+
tab.
-
Click the Edit button in the
TACACS+ tab.
-
In the Edit TACACS+ Configuration dialog
box, select the Protocol is
enabled box.
-
In the Bound Interface field,
select Admin Port.
-
In the Port field, enter
49.
-
Select Accept Requests from Any
Authenticator.
Select this option if you want to create a global TACACS+ authenticator that sets
policy for all authenticators that do not match a specific TACACS+-enabled
authentication in your Ignition Server configuration.
-
In the Access Policy field,
select default-tacacs-admin.
Use this configuration in the case of a global TACACS+ authenticator. Choose your
global TACACS+ policy that you want applied if the device finds no better matching
authenticator.
-
In TACACS+ Shared Secret
field, enter the secret that the switch and TACACS+ Ignition Server share. In this
example, the shared secret is secret.
-
Click OK.
-
Configure a user recognized by the
TACACS + server.
-
In the Ignition Server Dashboard,
expand the Configuration tree: .
-
Click New.
-
Fill in the appropriate
fields.
As an example:
User Name: jsmith
First Name: John
Last Name: Smith
Password: test
Confirm password: test
-
If your TACACS+ policy uses per-command
authorization, create a command set.
-
In the Ignition Server Dashboard,
expand the Configuration tree: .
-
Click Define Command
Sets.
-
Click New.
-
In the New Device Command Set
window, type a Name and Description for the command set; for instance, level5.
In this window you build your command set by adding commands to the list. You can
build the command list manually or you can import a list. For more information on
importing a command list, see Identity Engines Ignition Server Administration.
-
To manually add the commands, click
Add in the
New/Edit Device Command Set window.
-
Click the Simple Command Using Keywords and
Arguments box.
-
In the Command field, type the
command, and optionally its arguments.
-
To allow the command to be used with
any argument, select the Allow box.
-
To allow only the specific command
and arguments you have types, tick the Deny box.
-
Click OK to add the command to
the list.
-
Continue to add the commands that
you want.
-
If your TACACS+ policy uses
privilege-level authorization, create the TACACS+ access policy to allow the TACACS+
Ignition Server to communicate with the switch.
-
In the Ignition Server Dashboard,
expand the Configuration tree: .
-
Select default-tacacs-admin.
-
Click on the Authorization Policy tab
and select the name of the policy you want to edit.
-
Click Edit and the Edit Authorization Policy
window appears.
-
In the Rules section, select the
rule you want to edit. In this case select level5, to which you have already added
commands.
The Rules
list at the left lets you browse and sort the rules in your policy. Use the up and
down arrow buttons at the right to set the rule sequence, and click a rule name in
the list to edit that rule. The Selected Rule Details section lets you edit the rule
you have selected.
-
In the Selected Rule Details
section, under Rule
Name, for this example, it reads level5.
-
Select Rule Enabled.
-
With level5 selected in the Rules
list, go to the buttons to the right of the Constraint list and click
New.
-
In the Action section, select
Allow.
-
Select the Command Sets tab, in the
Action section. Allow Commands in Set should read level-5, in this example, and under
All Command Sets all the commands that are accessible under level5 should be
listed.
-
Click OK.
For this example to function properly, the summary window must display:
IF User: user-id = level5 THEN Allow
Permit commands in Command Set: level-5
-
Configure the Ignition Server to connect
to authenticators, which is the switch:
-
In the Ignition Server Dashboard,
expand and the Authenticator Summary window appears.
-
Click New, and the
Authenticator Details window appears.
-
For this example, type Switch1 under name.
-
To the right select Enable Authenticator.
-
Type the IP address for the switch,
which is the authenticator. Use the primary CPU address or the management virtual
address.
-
In the Vendor field, select
Nortel.
-
In the Device template field,
select ers-switches-nortel.
-
Select the TACACS+ Settings
tab.
-
Select Enable TACACS+
Access.
-
In the TACACS+ Shared Secret
field, type the key value you entered into the switch. In this example, the key is the
word secret.
To connect using TACACS+, you must use the shared secret for each device. In your
switch documentation, the shared secret can also be referred to as a specific key
string or an encryption string.
-
Under Access Policy, select
default-tacacs-user.
-
Click OK.