TACACS+ Server Configuration for Huawei Routers,Firewalls & Switches
Monday, April 13, 2009Implementing TACACS on networking euipments turnsout to be very efficient interms of network users management.
Let me share some of the tips for configuring TACACS on Huawei equipments….but before that let me explain few concepts…for those not familiar…
TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services.
HWTACACS is the enhancement of TACACS that is an access control protocol defined in RFC 1492. Similar to RADIUS, HWTACACS implements AAA of multiple users by communicating with the HWTACACS server in the Server/Client model. HWTACACS is used to perform AAA on access users over PPP or Virtual Private Dial Network (VPDN) and login users.
Now..lets take a closer look into the configuration commands…
——– Creating a tacacs template which contains the Server information.—————-
#
hwtacacs-server template ht
hwtacacs-server authentication1000
hwtacacs-server authorization1001
hwtacacs-server accounting1002
hwtacacs-server shared-key
#———- Creating an AAA authorization,authentication & accounting scheme —————
#
aaaauthentication-scheme default
authentication-scheme l-h
authentication-mode local hwtacacs
authentication-scheme hwtacacs
authentication-mode hwtacacs
#
authorization-scheme default
authorization-scheme hwtacacs
authorization-mode hwtacacs
#
accounting-scheme default
accounting-scheme hwtacacs
accounting-mode hwtacacs
accounting realtime 3
#
domain default
domain domainname
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
hwtacacs-server ht
#
Now….Lets look at the Server Configuration….(OS : CentOS Linux)
/etc/tac_plus.conf
# tacacs configuration file
# Pierre-Yves Maunier - 20060713
# /etc/tac_plus.conf# set the key
key = keyaccounting file = /var/log/tac_plus.acct
# users accounts
user = useradmin {
default service = permit
login = cleartext “normal”
enable = cleartext “enable”}
After the config file is saved… run the following command..
Note: Feel free to comment if you got any doubts..[root@centos]# tac_plus -C /etc/tac_plus.conf