TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol, using tcp port 49, that provides login control for your network devices. Setting up a TACACS+ server gives you the ability to have a central server for controlling Access, Authorization, and Accounting of your routers, switches and just about any other network device. TACACS+ runs on Linux, Sun and Windows and best of all its free.
Part 1. Configure the Dell N-series for TACACS+ at the CLI
1. Configure a local user named user1 with password user1 and level 15 privilege:
console(config)# username user1 password user1 level 15
2. Define the TACACS+ server and specify the shared secret key “mysecretkey”
console(config)# tacacs-server host 192.168.0.105
console(config)# tacacs-server key mysecretkey
3. Create an authentication method called local_tacacs that will attempt to authenticate via local DB, then use the TACACS+ (you can chage sequences):
console(config)# aaa authentication login local_tacacs local tacacs
4. Bind this authentication method list to the telnet/ssh line and https (there are five access lines: console, Telnet, SSH, HTTP, and HTTPS):
(config)# line telnet
(config-line)# login authentication local_tacacs
(config)# line ssh
(config-line)# login authentication local_tacacs
(config)#ip https authentication local tacacs
Part 2. Installing and Configuring the TACACS+ server for Windows Server 2008R2/2012R2
As a best practice, use a dedicated server to handle device authentication.
1. Download and run TACACSSetup_v*.exe installation wizard from http://tacacs.net. This wizard will walk you through the software installation on your server.
2. You will be prompted to enter the TACACS+ shared secret during the wizard setup. This is the same shared secret you entered on the Switch CLI in Stage 1. If you would like to change this, you can do so in clients.xml.
3. Create Group like "Dell_Switch_Auth" and add users into the group or you can use AD groups.
4. Open file authentication.xml (located C:\ProgramData\TACACS.net\config) and make changes in <AuthenticationType>
4.1 Local Group:
<UserGroup>
<Name>DEFAULT</Name>
<AuthenticationType>Localhost</AuthenticationType>
<LocalhostGroupName>Dell_Switch_Auth</LocalhostGroupName>
</UserGroup>
4.2 Active Directory Group:
<UserGroup>
<Name>Dell Switch Administrator</Name>
<AuthenticationType>Windows_Domain</AuthenticationType>
<LDAPServer>192.168.0.55:389</LDAPServer>
<LDAPUserDirectorySubtree>cn=Users,DC=contoso,DC=com</LDAPUserDirectorySubtree>
<LDAPGroupName>Network Operations</LDAPGroupName>
<LDAPAccessUserName>Administrator</LDAPAccessUserName>
<LDAPAccessUserPassword ClearText="password" DES=""></LDAPAccessUserPassword>
</UserGroup>
LDAPServer: You can find your LDAP server using:
Start -> Run -> nslookupset type=all
_ldap._tcp.dc._msdcs.DOMAIN_NAME
Check user belongs to group:
net user USERNAME /domain
Check groups in domain:
net group /domain 5. Check you have port 49 on local IP.
netstat -na | findstr :49If not, open file tacplus.xml (located C:\ProgramData\TACACS.net\config) and make changes in <LocalIP>192.168.0.150</LocalIP>.
Reastart TACACS.net service.
C:\>net stop tacacs.net
The TACACS.net service is stopping.
The TACACS.net service was stopped successfully.
C:\>net start tacacs.net
The TACACS.net service is starting.
The TACACS.net service was started successfully.
6.
At this point, you should be able to login to the Dell N-series Switch using your domain credentials.
Part 3. Security Analysing
TACACS+ ports: TCP:49
Part 4. Troubleshooting
Run TACVerify
This utility will check your configuration for syntax errors. It can be found in the Program Menu. If the tool detects any errors, go back and fix them and run the utility again.
Run TACTest
Before you attempt to run TACACS+ on any external Clients in a lab or production environment, it is critical that you first run TACTest to verify that the system is working correctly. If TACTest fails, your external Clients will fail also. Run tactest /? from the command line for options. Here is a simple example:
C:\> tactest -k mykey -u myuser -p mypassword
Here are some commands that show information about TACACS+.
Show authentication methods - Displays authentication configuration
Show tacacs - Shows configured TACACS servers
Show aaa servers - Shows all configured aaa servers and statistics
Show log - Shows system logs and messages. Informs if TACACS authentication attempts have been rejected by a server, and other useful information.
Part 5. Logging and Accounting
Usually TACACS logs are stored: C:\ProgramData\TACACS.net\Logs
To activate TACACS accounting on Dell switch:
aaa accounting commands "dfltCmdList" start-stop tacacs
line ssh
accounting exec default
accounting commands default