Configuring TACACS+ on the switch
Before you begin
If you are new to TACACS+ authentication, Hewlett Packard Enterprise recommends that you configure your TACACS+ servers before configuring authentication on the switch.
Selecting the access method for configuration
The aaa authentication command
configures access control for the following access methods:
Console
Telnet
SSH
Web
Port-access (802.1X)
However, TACACS+ authentication is only used with the console, Telnet, or SSH access methods. The command specifies whether to use a TACACS+ server or the switch local authentication, or (for some secondary scenarios) no authentication. This means that if the primary method fails, authentication is denied. The command also reconfigures the number of access attempts to allow in a session if the first attempt uses an incorrect user name/password pair.
Configuring the switch authentication method
Syntax
<login [privilege-mode]>The server grants privileges at the operator privilege level. If the
privilege-modeoption is entered, TACACS+ is enabled for a single login. The authorized privilege level (operator or manager) is returned to the switch by the TACACS+ server. Default:Single login disabled.
<local|tacacs|radius>Selects the type of security access:
localAuthenticates with the manager and operator password you configure in the switch.
tacacsAuthenticates with a password and other data configured on a TACACS+ server.
radiusAuthenticates with a password and other data configured on a RADIUS server.
[<local|none>]If the primary authentication method fails, determines whether to use the local password as a secondary method or to disallow access.
Syntax
Command to configure the TACACS+ server
Syntax
Configuring the TACACS+ server for single login
For the single login feature to work correctly you must check some entries in the User Setup on the TACACS+ server:
In the User Setup, scroll to the Advanced TACACS+ Settings section.
Make sure the radio button for "Max Privilege for any AAA Client" is checked and the level is set to 15, as shown in Advanced TACACS+ settings section of the TACACS+ server user setup.
Privileges are represented by the numbers 0 through 15, with zero allowing only operator privileges (and requiring two logins) and 15 representing root privileges. The root privilege level is the only level that allows manager level access on the switch.
Scroll down to the section that begins with "Shell", see The shell section of the TACACS+ server user setup. Check the Shell box.
Check the Privilege level box and set the privilege level to 15 to allow "root" privileges. This allows you to use the single login option.
As shown in Configuring the switch TACACS+ server access, login and enable access is always available locally through a direct terminal connection to the switch console port. However, for Telnet access, you can configure TACACS+ to deny access if a TACACS+ server goes down or otherwise becomes unavailable to the switch.
Configuring the switch TACACS+ server access
The tacacs-server command configures these parameters:
The host IP addresses for up to three TACACS+ servers; one first-choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server.
An optional encryption key. This key helps to improve security, and must match the encryption key used in your TACACS+ server application. In some applications, the term "secret key" or "secret" may be used instead of "encryption key". If you need only one encryption key for the switch to use in all attempts to authenticate through a TACACS+ server, configure a global key. However, if the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
The timeoutvalue in seconds for attempts to contact a TACACS+ server. If the switch sends an authentication request, but does not receive a response within the period specified by the timeout value, the switch resends the request to the next server in its Server IP Addr list, if any. If the switch still fails to receive a response from any TACACS+ server, it reverts to whatever secondary authentication method was configured using the
aaa authenticationcommand (local or none), see Selecting the access method for configuration .
Syntax
tacacs-server host<IP-ADDR>[key<KEY-STR>] | [oobm]Adds a TACACS+ server and optionally assigns a server-specific encryption key. If the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
[no]tacacs-server host<IP-ADDR>Removes a TACACS+ server assignment (including its server-specific encryption key, if any).
tacacs-server key<KEY-STR>Configures an optional global encryption key. Keys configured in the switch must exactly match the encryption keys configured in the TACACS+ servers that the switch attempts to use for authentication.
[no]tacacs-server keyRemoves the optional global encryption key. This does not affect any server-specific encryption key assignments.
tacacs-server timeout<1-255>Changes the wait period for a TACACS server response.
Default: 5 seconds.
![[NOTE: ]](images/note.gif) | NOTE:
|
Command to enable authorization
Syntax
[no] aaa authorization commands radius|tacacs|local|auto|none[no] aaa authorization commands access-level manager|allThese commands are used to enable TACACS+ authorization.
Brief description of TACACS authorization options:
Local
Locally authenticated clients goes through local authorization. No authentication is performed for RADIUS/TACACS+ authenticate clients.
RADIUS
Locally authenticated clients go through local authorization. RADIUS authenticated clients go through RADIUS authorization. No authorization is performed for TACACS+ authenticated clients.
TACACS
TACACS authenticated clients go through TACACS authorization. No authorization is performed for RADIUS/locally authenticated users.
Auto
Uses the same method as Authentication and Authorization. For example local/radius/tacacs authenticated clients will go through local/radius/tacacs authorization respectively.
Authorization method
Command to configure dead time
Syntax
[no] tacacs-server dead-time<minutes>Configures the dead time for unavailable TACACS+ servers. When a server stops responding, the switch ignores this for a given amount of time and proceeds immediately to the next backup. Configuring the dead time improves server response time as the switch no longer has to wait for connections to time out before contacting the next backup server. The default value of zero disables skipping unavailable servers.
Command to enable authorization
Syntax
[no] aaa authorization commands <radius|local|tacacs|auto|none>[no] aaa authorization commands access-level <manager|all>Configure command authorization. For each command issued by the user, an authorization request is sent to the server. Command authorization can be applied to all commands or only manager-level commands:
AAA
Configure the switch Authentication, Authorization, and Accounting features.
Commands
Configure command authorization.
Group
Create or remove an authorization rule.
Local
Authorize commands using local groups.
RADIUS
Authorize commands using RADIUS.
None
Do not require authorization for command access.
TACACS
Authorize commands using TACACS+.
Auto
Authorize commands with the same protocol used for authentication.
Access-level
Configure command authorization level.
Manager
Allow authorization only for ‘manager’ level commands.
All
Allow authorization for all commands.
Command to enable accounting
Syntax
[no] aaa accounting <exec|network|system|commands> <start-stop|stop-only|intermim-update> <radius|syslog|tacacs>Configure the accounting service on the device. Accounting can be configured for EXEC sessions, network connection, commands and system. The accounting data is collected by a RADIUS, SYSLOG, or TACACS+ server.
NOTE: Network accounting is not supported through TACACS+ and SYSLOG.
session-idaccounting is not supported for TACACS+.
Periodic
Configures how periodic accounting updates are sent.
Null-username
Suppresses accounting for users with no username
Accounting
Configures the accounting service on the device.
Commands
Configures
commandtype of accounting. Exec
Configures Exec type of accounting.
Network
Configures network type of accounting.
Session-id
Configures accounting sessions identification scheme.
Suppress
Does not generate accounting records for a specific type of user.
System
Configures system type of accounting.
Update
Configures update accounting records mechanism.
RADIUS
Uses RADIUS for accounting.
TACACS
Uses TACACS+ for accounting.
Show all authorization configurations
Syntax
Show all accounting configurations
Syntax
show accounting sessionsShow accounting configuration parameters. If sessions is specified, the command will show accounting data for all active sessions.
show accounting
switch(config)# show accounting Status and Counters - Accounting Information Interval(min) : 0 Suppress Empty User : No Sessions Identification : Common Type | Method Mode Server Group -------- + ------ -------------- ------------ Network | None Exec | None System | tacacs Start-Stop tacacs Commands | None
Show current authentication configurations
Syntax
show authentication
Description
This command lists the number of login attempts the switch allows in a single login session, and the primary/secondary access methods configured for each type of access.
show authentication
HP-Switch(config)# show authentication
Status and Counters - Authentication Information
login Attempts : 3
Lockout Delay : 0
Respect Privilege : Disabled
Bypass Username For Operator and Manager Access : Disabled
| Login Login Login
Access Task | Primary Server Group Secondary
-------------- + ----------- ------------ ----------
Console | Local None
Telnet | Local None
Port-Access | Local None
Webui | Local None
SSH | Two-factor None
Web-Auth | ChapRadius radius None
MAC-Auth | ChapRadius radius None
SNMP | Local None
Local-MAC-Auth | Local None
Enable | Enable Enable
Access Task | Primary Server Group Secondary
-------------- + ----------- ------------ ----------
Console | Local None
Telnet | Local None
Webui | Local None
SSH | Two-factor tacacs None
show authentication two-factor
HP-Switch(config)# show authentication two-factor
| Login Login
Access Task | First Second
-------------- + ----------- ------------
SSH | public-key local
| Enable Enable
Access Task | First Second
-------------- + ----------- ------------
SSH | public-key local
| Login Login
Access Task | First Second
-------------- + ----------- ------------
SSH | certificate local
| Enable Enable
Access Task | First Second
-------------- + ----------- ------------
SSH | certificate local
Show TACACS+ host details
Syntax
show tacacs host<IP-addr>Show TACACS+ status and statistics information.
Host
Show information for the specified TACACS+ server.
IP-addr
The IP address of the TACACS+ server.
show tacacs
switch# show tacacs TACACS+ Information Timeout : 5 Source IP Selection : Outgoing Interface Encryption Key : Server Addr Opens Closes Aborts Errors Pkts Rx Pkts Tx OOBM ------------ ------ ------ ------ ------ ------- ------- ----show tacacs host
switch(config)#Show tacacs host <IP> TACACS+ Server Information Server Addr : 10.0.0.3 OOBM : Enabled Sessions Opened : Sessions Closed : Sessions Aborted : Sessions Error : Authentication : Packets Tx : 0 Packets Rx : 0 Timeouts : 0 Authorization : Packets Tx : 0 Packets Rx : 0 Timeouts : 0 Accounting : Packets Tx : 0 Packets Rx : 0 Timeouts : 0
Show accounting sessions
Syntax
show accounting sessionsShow accounting data for all active sessions.
show accounting sessions
switch(config)# Active Accounted actions on SWITCH, User (n/a) Priv (n/a), Acct-Session-Id 0x013E00000006, System Accounting record, 1:45:34 Elapsed, system event ‘Accounting On’, method ‘radius’ Active Accounted actions on SWITCH, User (n/a) Priv (n/a), Task-id 0x013E00000006, Command Accounting record, 1:45:34 Elapsed, method ‘tacacs’.
Specifying devices
Syntax
host<IP-ADDR>[key<KEY-STR>] | [oobm]Specifies the IP address of a device running a TACACS+ server application. Optionally, can also specify the unique, per-server encryption key to use when each assigned server has its own, unique key. For more on the encryption key, see Encryption options in the switch and the documentation provided with your TACACS+ server application.
For switches that have a separate out-of-band management port, the oobm parameter specifies that the TACACS+ traffic goes through the out-of-band management (OOBM) port.
You can enter up to three IP addresses; one first-choice and two (optional) backups (one second-choice and one third-choice).
Use show tacacs to view the current IP address list.
If the first-choice TACACS+ server fails to respond to a request, the switch tries the second address, if any, in the show tacacs list. If the second address also fails, then the switch tries the third address, if any.
The priority (first-choice, second-choice, and third-choice) of a TACACS+ server in the switch TACACS+ configuration depends on the order in which you enter the server IP addresses:
When there are no TACACS+ servers configured, entering a server IP address makes that server the first-choice TACACS+ server.
When there is one TACACS+ serves already configured, entering another server IP address makes that server the second-choice (backup) TACACS+ server.
When there are two TACACS+ servers already configured, entering another server IP address makes that server the third-choice (backup) TACACS+ server.
The above position assignments are fixed. If you remove one server and replace it with another, the new server assumes the priority position that the removed server had. For example, suppose you configured three servers, A, B, and C, configured in order:
First-Choice: A
Second-Choice: B
Third-Choice: C
If you removed server B and then entered server X, the TACACS+ server order of priority would be:
First-Choice: A
Second-Choice: X
Third-Choice: C
If there are two or more vacant slots in the TACACS+ server priority list and you enter a new IP address, the new address takes the vacant slot with the highest priority. Thus, if A, B, and C are configured as above and you (1) remove A and B, and (2) enter X and Y (in that order), then the new TACACS+ server priority list would be X, Y, and C. The easiest way to change the order of the TACACS+ servers in the priority list is to remove all server addresses in the list and then re-enter them in order, with the new first-choice server address first, and so on. To add a new address to the list when there are already three addresses present, you must first remove one of the currently listed addresses. See also General authentication process using a TACACS+ server. Default: None
Specifying switch response
Syntax
timeout<1-255>Specifies how long the switch waits for a TACACS+ server to respond to an authentication request. If the switch does not detect a response within the timeout period, it initiates a new request to the next TACACS+ server in the list. If all TACACS+ servers in the list fail to respond within the timeout period, the switch uses either local authentication (if configured) or denies access (if none configured for local authentication).
Default: 5 seconds
Encryption options in the switch
When configured, the encryption key causes the switch to encrypt the TACACS+ packets it sends to the server. When left at "null", the TACACS+ packets are sent in clear text. The encryption key (or just "key") you configure in the switch must be identical to the encryption key configured in the corresponding TACACS+ server. If the key is the same for all TACACS+ servers the switch uses for authentication, then configure a global key in the switch. If the key is different for one or more of these servers, use "server-specific" keys in the switch. (If you configure both a global key and one or more per-server keys, the per-server keys overrides the global key for the specified servers.)
For example, you would use the next command to configure a global encryption key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch:
switch(config)# tacacs-server key north40campus
Suppose that you subsequently add a third TACACS+ server (with an IP address of 10.28.227.87) that has south10campus for an encryption key. Because this key is different than the one used for the two servers in the previous example, you must assign a server-specific key in the switch that applies only to the designated server:
switch(config)# tacacs-server host 10.28.227.87 key south10campus
With both of the above keys configured in the switch, the south10campus key overrides the north40campus key only when the switch tries to access the TACACS+ server having the 10.28.227.87 address.
Encryption operation
When used, the encryption key (sometimes termed "key", "secret key", or "secret") helps to prevent unauthorized intruders on the network from reading user name and password information in TACACS+ packets moving between the switch and a TACACS+ server. At the TACACS+ server, a key may include both of the following:
Global key: A general key assignment in the TACACS+ server application that applies to all TACACS-aware devices for which an individual key has not been configured.
Server-Specific key: A unique key assignment in the TACACS+ server application that applies to a specific TACACS-aware device.
| NOTE: Configure a key in the switch only if the TACACS+ server application has this exact same key configured for the switch. That is, if the key parameter in switch "X" does not exactly match the key setting for switch "X" in the TACACS+ server application, then communication between the switch and the TACACS+ server fails. |
Thus, on the TACACS+ server side, you have a choice as to how to implement a key. On the switch side, it is necessary only to enter the key parameter so that it exactly matches its counterpart in the server. For information on how to configure a general or individual key in the TACACS+ server, see the documentation you received with the application.
Configuring an encryption key
Use an encryption key in the switch if the switch will be requesting authentication from a TACACS+ server that also uses an encryption key. (If the server expects a key, but the switch either does not provide one, or provides an incorrect key, then the authentication attempt fails.)
Use a global encryption key if the same key applies to all TACACS+ servers the switch may use for authentication attempts.
Use a per-server encryption key if different servers the switch may use have different keys. (For more details on encryption keys, see Encryption options in the switch.
Optional, global encryption key
Syntax
key<key-string>Specifies the optional, global "encryption key" that is also assigned in the TACACS+ servers that the switch accesses for authentication. This option is subordinate to any "per-server" encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a "per-server" key. (See the
hostentry above)<IP-ADDR>[key<KEY-STR>]You can configure a TACACS+ encryption key that includes a tilde (~) as part of the key, for example, "hp~switch". It is not backward compatible; the "~" character is lost if you use a software version that does not support the "~" character
For more on the encryption key, see Encryption options in the switch and the documentation provided with your TACACS+ server application.
Deleting a per-server encryption key
To delete a per-server encryption key in the switch, re-enter the tacacs-server host command without the key parameter. For example, if you have north01 configured as the encryption key for a TACACS+ server with an IP address of 10.28.227.104 and you want to eliminate the key, you would use this command:
switch(config)# tacacs-server host 10.28.227.104
| NOTE: You can save the encryption key in a configuration file by entering this command: |
switch(config)# tacacs-server key<key-string>The
<key-string>parameter is the encryption key in clear text.
| NOTE: The |
Configuring the Timeout period
The timeout period specifies how long the switch waits for a response to an authentication request from a TACACS+ server before either sending a new request to the next server in the switch Server IP Address list or using the local authentication option. For example, to change the timeout period from 5 seconds (the default) to 3 seconds:
switch(config)# tacacs-server timeout 3
Server specific encryption key
Syntax
tacacs-server host<ip-addr>[key<key-string>| encrypted-key<key-string>| [oobm]Adds a TACACS+ server and optionally assigns a server-specific encryption key. If the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
NOTE: For the 3800, 5400zl, and 8200zl switches, when the switch is in enhanced secure mode, commands that take a secret key as a parameter have the echo of the secret typing replaced with asterisks. The input for <key-string> is prompted for interactively. See Secure Mode (3800, 3810, 5400zl, and 8200zl Switches).
[no] tacacs-server host <ip-addr>Removes a TACACS+ server assignment (including its server-specific encryption key, if any).
tacacs-server [key<key-string>| encrypted-key<key-string>]Configures an optional global encryption key. Keys configured in the switch must exactly match the encryption keys configured in the TACACS+ servers that the switch attempts to use for authentication. The encrypted-key parameter configures a global encryption key, specified using a base64-encoded aes-256 encrypted string
[no] tacacs-server keyRemoves the optional global encryption key. (Does not affect any server-specific encryption key assignments.)
tacacs-server encrypted-key<key-string>Encryption key to use with a TACACS+ server, specified using a base64-encoded aes-256 encrypted string.
tacacs-server timeout<1-255>Changes the wait period for a TACACS server response. (Default: 5 seconds.)
| NOTE: Encryption keys configured in the switch must exactly match the encryption keys configured in TACACS+ servers the switch attempts to use for authentication. If you configure a global encryption key, the switch uses it only with servers for which you have not also configured a server-specific key. Thus, a global key is more useful where the TACACS+ servers you are using all have an identical key, and server-specific keys are necessary where different TACACS+ servers have different keys. If TACACS+ server “X” does not have an encryption key assigned for the switch, then configuring either a global encryption key or a server-specific key in the switch for server “X” blocks authentication support from server “X”. |
Using the privilege-mode option for login
When using TACACS+ to control user access
to the switch, first login with your user name at the operator privilege
level using the password for operator privileges, then login again
with the same user name but using the Manger password to obtain manager
privileges. You can avoid this double login process by entering the privilege-mode option
with the aaa authentication login command to enable
TACACS+ for a single login. The switch authenticates your user name/password,
then requests the privilege level (operator or manager) that was configured
on the TACACS+ server for this user name/password. The TACACS+ server
returns the allowed privilege level to the switch. You are placed
directly into operator or manager mode, depending on your privilege
level.
switch(config) aaa authentication login privilege-mode
The no version of the above
command disables TACACS+ single login capability.
Adding, removing, or changing the priority of a TACACS+ server
Example
Suppose the switch is configured to use TACACS+ servers at 10.28.227.10 and 10.28.227.15. 10.28.227.15 was entered first and so is listed as the first-choice server:
To move the "first-choice" status from
the "15" server to the "10" server, use the no
tacacs-server host <ip-addr> command to delete both
servers, then use tacacs-server host <ip-addr> to
re-enter the "10" server first, then the "15"
server.
The servers would then be listed with the new "first-choice" server, that is:
To remove the 10.28.227.15 device as a TACACS+ server, you would use this command:
HPswitch(config)# no tacacs-server host 10.28.227.15