Identity Engines Ignition Server TACACS+ Configuration Example

The following section shows the steps required to configure TACACS+ on Identity Engines Ignition Server, Release 8.0. Use the preceding information to configure the switch.

A TACACS+ server responds to and audits network access requests. In an installation, the Identity Engines Ignition Server is the TACACS+ server.

The example displays how to do the following:
  • Enable TACACS+

  • Configure a user

  • Create a command set

  • Configure the authentication protocol policy

  • Create the authorization policy

  • Configure TACACS+ authenticators

For more information on the Ignition Server, see Identity Engines Ignition Server Administration.

Before you begin

  • Configure the Ignition Server appliance and set up its network settings. For more information, see Identity Engines Ignition Server Getting Started.

  • Install the Ignition Dashboard on your Windows OS.

  • Configure each authenticator (switch) to recognize the Ignition Server appliance as its TACACS+ server.

  • Configure your switch to send packets to the Ignition Server appliance with the appropriate IP address and port.

  • Ensure licenses are up-to-date.

Procedure

  1. If the Ignition Server Dashboard is not connected to your Ignition Server, select Administration: Login to connect.
    1. The default login credentials for User Name and Password are admin/admin. change the default values.
    2. In the Connect to field enter the IP address of the Ignition Server for TACACS+. In this example, the IP address for the TACACS+ server is 192.0.2.8.
  2. Enable TACACS+.
    1. In the Ignition Server Dashboard, select Site 0.
    2. In the Sites window, select the Services tab.
    3. Under the Services tab, select the TACACS+ tab.
    4. Click the Edit button in the TACACS+ tab.
    5. In the Edit TACACS+ Configuration dialog box, select the Protocol is enabled box.
    6. In the Bound Interface field, select Admin Port.
    7. In the Port field, enter 49.
    8. Select Accept Requests from Any Authenticator.

      Select this option if you want to create a global TACACS+ authenticator that sets policy for all authenticators that do not match a specific TACACS+-enabled authentication in your Ignition Server configuration.

    9. In the Access Policy field, select default-tacacs-admin.

      Use this configuration in the case of a global TACACS+ authenticator. Choose your global TACACS+ policy that you want applied if the device finds no better matching authenticator.

    10. In TACACS+ Shared Secret field, enter the secret that the switch and TACACS+ Ignition Server share. In this example, the shared secret is secret.
    11. Click OK.
  3. Configure a user recognized by the TACACS + server.
    1. In the Ignition Server Dashboard, expand the Configuration tree: Site Configuration > Directories > Internal Store > Internal Users.
    2. Click New.
    3. Fill in the appropriate fields.

      As an example:

      User Name: jsmith

      First Name: John

      Last Name: Smith

      Password: test

      Confirm password: test

  4. If your TACACS+ policy uses per-command authorization, create a command set.
    1. In the Ignition Server Dashboard, expand the Configuration tree: Site Configuration > Access Policies > TACACS+.
    2. Click Define Command Sets.
    3. Click New.
    4. In the New Device Command Set window, type a Name and Description for the command set; for instance, level5.

      In this window you build your command set by adding commands to the list. You can build the command list manually or you can import a list. For more information on importing a command list, see Identity Engines Ignition Server Administration.

    5. To manually add the commands, click Add in the New/Edit Device Command Set window.
    6. Click the Simple Command Using Keywords and Arguments box.
    7. In the Command field, type the command, and optionally its arguments.
    8. To allow the command to be used with any argument, select the Allow box.
    9. To allow only the specific command and arguments you have types, tick the Deny box.
    10. Click OK to add the command to the list.
    11. Continue to add the commands that you want.
  5. If your TACACS+ policy uses privilege-level authorization, create the TACACS+ access policy to allow the TACACS+ Ignition Server to communicate with the switch.
    1. In the Ignition Server Dashboard, expand the Configuration tree: Site Configuration > Access Policies > TACACS+.
    2. Select default-tacacs-admin.
    3. Click on the Authorization Policy tab and select the name of the policy you want to edit.
    4. Click Edit and the Edit Authorization Policy window appears.
    5. In the Rules section, select the rule you want to edit. In this case select level5, to which you have already added commands.

      The Rules list at the left lets you browse and sort the rules in your policy. Use the up and down arrow buttons at the right to set the rule sequence, and click a rule name in the list to edit that rule. The Selected Rule Details section lets you edit the rule you have selected.

    6. In the Selected Rule Details section, under Rule Name, for this example, it reads level5.
    7. Select Rule Enabled.
    8. With level5 selected in the Rules list, go to the buttons to the right of the Constraint list and click New.
    9. In the Action section, select Allow.
    10. Select the Command Sets tab, in the Action section. Allow Commands in Set should read level-5, in this example, and under All Command Sets all the commands that are accessible under level5 should be listed.
    11. Click OK.

      For this example to function properly, the summary window must display:

      IF User: user-id = level5 THEN Allow

      Permit commands in Command Set: level-5

  6. Configure the Ignition Server to connect to authenticators, which is the switch:
    1. In the Ignition Server Dashboard, expand Site Configuration > Authenticators > default and the Authenticator Summary window appears.
    2. Click New, and the Authenticator Details window appears.
    3. For this example, type Switch1 under name.
    4. To the right select Enable Authenticator.
    5. Type the IP address for the switch, which is the authenticator. Use the primary CPU address or the management virtual address.
    6. In the Vendor field, select Nortel.
    7. In the Device template field, select ers-switches-nortel.
    8. Select the TACACS+ Settings tab.
    9. Select Enable TACACS+ Access.
    10. In the TACACS+ Shared Secret field, type the key value you entered into the switch. In this example, the key is the word secret.

      To connect using TACACS+, you must use the shared secret for each device. In your switch documentation, the shared secret can also be referred to as a specific key string or an encryption string.

    11. Under Access Policy, select default-tacacs-user.
    12. Click OK.