Dell N-series TACACS+ Authentication

TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol, using tcp port 49, that provides login control for your network devices.   Setting up a TACACS+ server gives you the ability to have a central server for controlling Access, Authorization, and Accounting of your routers, switches and just about any other network device.  TACACS+ runs on Linux, Sun and Windows and best of all its free.

Part 1. Configure the Dell N-series for TACACS+ at the CLI

1. Configure a local user named user1 with password user1 and level 15 privilege:

console(config)# username user1 password user1 level 15

2. Define the TACACS+ server and specify the shared secret key “mysecretkey”

console(config)# tacacs-server host 192.168.0.105
console(config)# tacacs-server key mysecretkey

3. Create an authentication method called local_tacacs that will attempt to authenticate via local DB, then use the TACACS+ (you can chage sequences):

console(config)# aaa authentication login local_tacacs local tacacs

4. Bind this authentication method list to the telnet/ssh line and https (there are five access lines: console, Telnet, SSH, HTTP, and HTTPS):

(config)# line telnet
(config-line)# login authentication local_tacacs
(config)# line ssh
(config-line)# login authentication local_tacacs
(config)#ip https authentication local tacacs

Part 2. Installing and Configuring the TACACS+ server for Windows Server 2008R2/2012R2

As a best practice, use a dedicated server to handle device authentication.

1. Download and run TACACSSetup_v*.exe installation wizard from http://tacacs.net. This wizard will walk you through the software installation on your server.

2. You will be prompted to enter the TACACS+ shared secret during the wizard setup. This is the same shared secret you entered on the Switch CLI in Stage 1. If you would like to change this, you can do so in clients.xml.

3. Create Group like "Dell_Switch_Auth" and add users into the group or you can use AD groups.

4. Open file authentication.xml (located C:\ProgramData\TACACS.net\config) and make changes in <AuthenticationType>

4.1 Local Group:

<UserGroup>
      <Name>DEFAULT</Name>
      <AuthenticationType>Localhost</AuthenticationType>
      <LocalhostGroupName>Dell_Switch_Auth</LocalhostGroupName> 
</UserGroup>

4.2 Active Directory Group:

<UserGroup>
<Name>Dell Switch Administrator</Name>
      <AuthenticationType>Windows_Domain</AuthenticationType>  
      <LDAPServer>192.168.0.55:389</LDAPServer>
   <LDAPUserDirectorySubtree>cn=Users,DC=contoso,DC=com</LDAPUserDirectorySubtree>
<LDAPGroupName>Network Operations</LDAPGroupName>
<LDAPAccessUserName>Administrator</LDAPAccessUserName>
<LDAPAccessUserPassword ClearText="password" DES=""></LDAPAccessUserPassword>
</UserGroup>

LDAPServer: You can find your LDAP server using:

Start -> Run -> nslookup
set type=all
_ldap._tcp.dc._msdcs.DOMAIN_NAME

 

Check user belongs to group:

net user USERNAME /domain

Check groups in domain:

net group /domain
 

5. Check you have port 49 on local IP.

netstat -na | findstr :49

If not, open file tacplus.xml (located C:\ProgramData\TACACS.net\config) and make changes in <LocalIP>192.168.0.150</LocalIP>.
Reastart TACACS.net service.

C:\>net stop tacacs.net
The TACACS.net service is stopping.
The TACACS.net service was stopped successfully.
C:\>net start tacacs.net
The TACACS.net service is starting.
The TACACS.net service was started successfully.

6. 

At this point, you should be able to login to the Dell N-series Switch using your domain credentials.

Part 3. Security Analysing

TACACS+ ports: TCP:49

Part 4. Troubleshooting

Run TACVerify
This utility will check your configuration for syntax errors. It can be found in the Program Menu. If the tool detects any errors, go back and fix them and run the utility again.
Run TACTest
Before you attempt to run TACACS+ on any external Clients in a lab or production environment, it is critical that you first run TACTest to verify that the system is working correctly. If TACTest fails, your external Clients will fail also. Run tactest /? from the command line for options. Here is a simple example:
C:\> tactest -k mykey -u myuser -p mypassword

Here are some commands that show information about TACACS+.

Show authentication methods - Displays authentication configuration
Show tacacs - Shows configured TACACS servers
Show aaa servers - Shows all configured aaa servers and statistics
Show log - Shows system logs and messages. Informs if TACACS authentication attempts have been rejected by a server, and other useful information.

Part 5. Logging and Accounting

Usually TACACS logs are stored: C:\ProgramData\TACACS.net\Logs
To activate TACACS accounting on Dell switch:

aaa accounting commands "dfltCmdList" start-stop tacacs
line ssh
   accounting exec default
   accounting commands default

 


AUST IT - Computer help out of hours, when you need it most.

Find out why we do it for less.

About

AUST IT will help you resolve any technical support issues you are facing onsite or remotely via remote desktop 24/7. More...

Contacts

Reservoir, Melbourne,
3073, VIC, Australia

Phone: 0422 348 882

This email address is being protected from spambots. You need JavaScript enabled to view it.

Sydney: 0481 837 077

Connect

Join us in social networks to be in touch.

Newsletter

Complete the form below, and we'll send you our emails with all the latest AUST IT news.