Cisco Wireless LAN Controller Configuration Guide, Release 7.4
Configuring TACACS+
Downloads: This chapterpdf (PDF - 1.73MB) The complete bookPDF (PDF - 17.75MB) | The complete bookePub (ePub - 4.37MB) | Feedback

Configuring TACACS+

Configuring TACACS+

Information About TACACS+

Terminal Access Controller Access Control System Plus (TACACS+) is a client/server protocol that provides centralized security for users attempting to gain management access to a controller. It serves as a backend database similar to local and RADIUS. However, local and RADIUS provide only authentication support and limited authorization support while TACACS+ provides three services:

  • Authentication—The process of verifying users when they attempt to log into the controller. Users must enter a valid username and password in order for the controller to authenticate users to the TACACS+ server. The authentication and authorization services are tied to one another. For example, if authentication is performed using the local or RADIUS database, then authorization would use the permissions associated with the user in the local or RADIUS database (which are read-only, read-write, and lobby-admin) and not use TACACS+. Similarly, when authentication is performed using TACACS+, authorization is tied to TACACS+.

    Note


    When multiple databases are configured, you can use the controller GUI or CLI to specify the sequence in which the backend databases should be tried.


  • Authorization—The process of determining the actions that users are allowed to take on the controller based on their level of access. For TACACS+, authorization is based on privilege (or role) rather than specific actions. The available roles correspond to the seven menu options on the controller GUI: MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, and COMMANDS. An additional role, LOBBY, is available for users who require only lobby ambassador privileges. The roles to which users are assigned are configured on the TACACS+ server. Users can be authorized for one or more roles. The minimum authorization is MONITOR only, and the maximum is ALL, which authorizes the user to execute the functionality associated with all seven menu options. For example, a user who is assigned the role of SECURITY can make changes to any items appearing on the Security menu (or designated as security commands in the case of the CLI). If users are not authorized for a particular role (such as WLAN), they can still access that menu option in read-only mode (or the associated CLI show commands). If the TACACS+ authorization server becomes unreachable or unable to authorize, users are unable to log into the controller.

    Note


    If users attempt to make changes on a controller GUI page that are not permitted for their assigned role, a message appears indicating that they do not have sufficient privilege. If users enter a controller CLI command that is not permitted for their assigned role, a message may appear indicating that the command was successfully executed although it was not. In this case, the following additional message appears to inform users that they lack sufficient privileges to successfully execute the command: “Insufficient Privilege! Cannot execute command!”


  • Accounting—The process of recording user actions and changes. Whenever a user successfully executes an action, the TACACS+ accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. If the TACACS+ accounting server becomes unreachable, users are able to continue their sessions uninterrupted.

TACACS+ uses Transmission Control Protocol (TCP) for its transport, unlike RADIUS which uses User Datagram Protocol (UDP). It maintains a database and listens on TCP port 49 for incoming requests. The controller, which requires access control, acts as the client and requests AAA services from the server. The traffic between the controller and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices.

You can configure up to three TACACS+ authentication, authorization, and accounting servers each. For example, you may want to have one central TACACS+ authentication server but several TACACS+ authorization servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one and then the third one if necessary.


Note


If multiple TACACS+ servers are configured for redundancy, the user database must be identical in all the servers for the backup to work properly.


The following are some guidelines about TACACS+:
  • You must configure TACACS+ on both your CiscoSecure Access Control Server (ACS) and your controller. You can configure the controller through either the GUI or the CLI.
  • TACACS+ is supported on CiscoSecure ACS version 3.2 and later releases. See the CiscoSecure ACS documentation for the version that you are running.
  • One Time Passwords (OTPs) are supported on the controller using TACACS. In this configuration, the controller acts as a transparent passthrough device. The controller forwards all client requests to the TACACS server without inspecting the client behavior. When using OTP, the client must establish a single connection to the controller to function properly. The controller currently does not have any intelligence or checks to correct a client that is trying to establish multiple connections.
  • We recommend that you increase the retransmit timeout value for TACACS+ authentication, authorization, and accounting servers if you experience repeated reauthentication attempts or the controller falls back to the backup server when the primary server is active and reachable. The default retransmit timeout value is 2 seconds and you can increase the retransmit timeout value to a maximum of 30 seconds.

TACACS+ VSA

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the TACACS+ server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use.

The Cisco TACACS+ implementation supports one vendor-specific option using the format recommended in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:


protocol : attribute separator value *

The protocol is a Cisco attribute for a particular type of authorization, the separator is = (equal sign) for mandatory attributes, and * (asterisk) indicates optional attributes.

Configuring TACACS+ on the ACS


    Step 1   Choose Network Configuration on the ACS main page.
    Step 2   Choose Add Entry under AAA Clients to add your controller to the server. The Add AAA Client page appears.
    Figure 1. Add AAA Client Page on CiscoSecure ACS

    Step 3   In the AAA Client Hostname text box, enter the name of your controller.
    Step 4   In the AAA Client IP Address text box, enter the IP address of your controller.
    Step 5   In the Shared Secret text box, enter the shared secret key to be used for authentication between the server and the controller.
    Note   

    The shared secret key must be the same on both the server and the controller.

    Step 6   From the Authenticate Using drop-down list, choose TACACS+ (Cisco IOS).
    Step 7   Click Submit + Apply to save your changes.
    Step 8   On the ACS main page, in the left navigation pane, choose Interface Configuration.
    Step 9   Choose TACACS+ (Cisco IOS). The TACACS+ (Cisco) page appears.
    Step 10   Under TACACS+ Services, select the Shell (exec) check box.
    Step 11   Under New Services, select the first check box and enter ciscowlc in the Service text box and common in the Protocol text box.
    Step 12   Under Advanced Configuration Options, select the Advanced TACACS+ Features check box.
    Step 13   Click Submit to save your changes.
    Step 14   On the ACS main page, in the left navigation pane, choose System Configuration.
    Step 15   Choose Logging.
    Step 16   When the Logging Configuration page appears, enable all of the events that you want to be logged and save your changes.
    Step 17   On the ACS main page, in the left navigation pane, choose Group Setup.
    Step 18   From the Group drop-down list, choose a previously created group.
    Note   

    This step assumes that you have already assigned users to groups on the ACS according to the roles to which they will be assigned.

    Step 19   Click Edit Settings. The Group Setup page appears.
    Step 20   Under TACACS+ Settings, select the ciscowlc common check box.
    Step 21   Select the Custom Attributes check box.
    Step 22   In the text box below Custom Attributes, specify the roles that you want to assign to this group. The available roles are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, COMMANDS, ALL, and LOBBY. The first seven correspond to the menu options on the controller GUI and allow access to those particular controller features. If a user is not entitled for a particular task, the user is still allowed to access that task in read-only mode. You can enter one or multiple roles, depending on the group's needs. Use ALL to specify all seven roles or LOBBY to specify the lobby ambassador role. Enter the roles using this format:

    rolex=ROLE

    For example, to specify the WLAN, CONTROLLER, and SECURITY roles for a particular user group, you would enter the following text:

    
    role1=WLAN
    role2=CONTROLLER
    role3=SECURITY?
    

    To give a user group access to all seven roles, you would enter the following text:

    
    role1=ALL?
    
    Note   

    Make sure to enter the roles using the format shown above. The roles must be in all uppercase letters, and there can be no spaces within the text.

    Note   

    You should not combine the MONITOR role or the LOBBY role with any other roles. If you specify one of these two roles in the Custom Attributes text box, users will have MONITOR or LOBBY privileges only, even if additional roles are specified.

    Step 23   Click Submit to save your changes.

    Configuring TACACS+ (GUI)


      Step 1   Choose Security > AAA > TACACS+.
      Step 2   Perform one of the following:
      • If you want to configure a TACACS+ server for authentication, choose Authentication.

      • If you want to configure a TACACS+ server for authorization, choose Authorization.

      • If you want to configure a TACACS+ server for accounting, choose Accounting.

      Note   

      The pages used to configure authentication, authorization, and accounting all contain the same text boxes. Therefore, these instructions walk through the configuration only once, using the Authentication pages as examples. You would follow the same steps to configure multiple services and/or multiple servers.

      Note   

      For basic management authentication via TACACS+ to succeed, it is required to configure authentication and authorization servers on the WLC. Accounting configuration is optional.

      The TACACS+ (Authentication, Authorization, or Accounting) Servers page appears. This page lists any TACACS+ servers that have already been configured.

      • If you want to delete an existing server, hover your cursor over the blue drop-down arrow for that server and choose Remove.

      • If you want to make sure that the controller can reach a particular server, hover your cursor over the blue drop-down arrow for that server and choose Ping.

      Step 3   Perform one of the following:
      • To edit an existing TACACS+ server, click the server index number for that server. The TACACS+ (Authentication, Authorization, or Accounting) Servers > Edit page appears.

      • To add a TACACS+ server, click New. The TACACS+ (Authentication, Authorization, or Accounting) Servers > New page appears.

      Step 4   If you are adding a new server, choose a number from the Server Index (Priority) drop-down list to specify the priority order of this server in relation to any other configured TACACS+ servers providing the same service. You can configure up to three servers. If the controller cannot reach the first server, it tries the second one in the list and then the third if necessary.
      Step 5   If you are adding a new server, enter the IP address of the TACACS+ server in the Server IP Address text box.
      Step 6   From the Shared Secret Format drop-down list, choose ASCII or Hex to specify the format of the shared secret key to be used between the controller and the TACACS+ server. The default value is ASCII.
      Step 7   In the Shared Secret and Confirm Shared Secret text boxes, enter the shared secret key to be used for authentication between the controller and the server.
      Note   

      The shared secret key must be the same on both the server and the controller.

      Step 8   If you are adding a new server, enter the TACACS+ server’s TCP port number for the interface protocols in the Port Number text box. The valid range is 1 to 65535, and the default value is 49.
      Step 9   In the Server Status text box, choose Enabled to enable this TACACS+ server or choose Disabled to disable it. The default value is Enabled.
      Step 10   In the Server Timeout text box, enter the number of seconds between retransmissions. The valid range is 5 to 30 seconds, and the default value is 5 seconds.
      Note   

      We recommend that you increase the timeout value if you experience repeated reauthentication attempts or the controller falls back to the backup server when the primary server is active and reachable.

      Step 11   Click Apply.
      Step 12   Click Save Configuration.
      Step 13   Repeat the previous steps if you want to configure any additional services on the same server or any additional TACACS+ servers.
      Step 14   Specify the order of authentication when multiple databases are configured by choosing Security > Priority Order > Management User. The Priority Order > Management User page appears.
      Step 15   In the Order Used for Authentication text box, specify which servers have priority when the controller attempts to authenticate management users.

      Use the > and < buttons to move servers between the Not Used and Order Used for Authentication text boxes. After the desired servers appear in the Order Used for Authentication text box, use the Up and Down buttons to move the priority server to the top of the list. By default, the local database is always queried first. If the username is not found, the controller switches to the RADIUS server if configured for RADIUS or to the TACACS+ server if configured for TACACS+. The default setting is local and then RADIUS.

      Step 16   Click Apply.
      Step 17   Click Save Configuration.

      Configuring TACACS+ (CLI)

      • Configure a TACACS+ authentication server by entering these commands:

        • config tacacs auth add index server_ip_address port# {ascii | hex} shared_secret—Adds a TACACS+ authentication server.
        • config tacacs auth delete index—Deletes a previously added TACACS+ authentication server.
        • config tacacs auth (enable | disable} index—Enables or disables a TACACS+ authentication server.
        • config tacacs auth server-timeout index timeout—Configures the retransmission timeout value for a TACACS+ authentication server.

      • Configure a TACACS+ authorization server by entering these commands:

        • config tacacs athr add index server_ip_address port# {ascii | hex} shared_secret—Adds a TACACS+ authorization server.

        • config tacacs athr delete index—Deletes a previously added TACACS+ authorization server.

        • config tacacs athr (enable | disable} index—Enables or disables a TACACS+ authorization server.

        • config tacacs athr server-timeout index timeout—Configures the retransmission timeout value for a TACACS+ authorization server.

      • Configure a TACACS+ accounting server by entering these commands:

        • config tacacs acct add index server_ip_address port# {ascii | hex} shared_secret—Adds a TACACS+ accounting server.

        • config tacacs acct delete index—Deletes a previously added TACACS+ accounting server.

        • config tacacs acct (enable | disable} index—Enables or disables a TACACS+ accounting server.

        • config tacacs acct server-timeout index timeout—Configures the retransmission timeout value for a TACACS+ accounting server.

      • See TACACS+ statistics by entering these commands:

        • show tacacs summary—Shows a summary of TACACS+ servers and statistics.

        • show tacacs auth stats—Shows the TACACS+ authentication server statistics.

        • show tacacs athr stats—Shows the TACACS+ authorization server statistics.

        • show tacacs acct stats—Shows the TACACS+ accounting server statistics.

      • Clear the statistics for one or more TACACS+ servers by entering this command:

        clear stats tacacs [auth | athr | acct] {index | all}

      • Configure the order of authentication when multiple databases are configured by entering this command. The default setting is local and then radius.

        config aaa auth mgmt [radius | tacacs]

        See the current management authentication server order by entering the show aaa auth command.

      • Make sure the controller can reach the TACACS+ server by entering this command:

        ping server_ip_address

      • Enable or disable TACACS+ debugging by entering this command:

        debug aaa tacacs {enable | disable}

      • Save your changes by entering this command:

        save config

      Viewing the TACACS+ Administration Server Logs


        Step 1   On the ACS main page, in the left navigation pane, choose Reports and Activity.
        Step 2   Under Reports, choose TACACS+ Administration.

        Click the .csv file corresponding to the date of the logs you want to view. The TACACS+ Administration .csv page appears.

        Figure 2. TACACS+ Administration .csv Page on CiscoSecure ACS

        This page displays the following information:
        • Date and time the action was taken
        • Name and assigned role of the user who took the action
        • Group to which the user belongs
        • Specific action that the user took
        • Privilege level of the user who executed the action
        • IP address of the controller
        • IP address of the laptop or workstation from which the action was executed
        Sometimes a single action (or command) is logged multiple times, once for each parameter in the command. For example, if you enter the snmp community ipaddr ip_address subnet_mask community_name command, the IP address may be logged on one line while the subnet mask and community name are logged as “E.” On another line, the subnet mask maybe logged while the IP address and community name are logged as “E.” See the first and third lines in the example in this figure.
        Figure 3. TACACS+ Administration .csv Page on CiscoSecure ACS