TACACS+ Server Configuration for Huawei Routers,Firewalls & Switches

Monday, April 13, 2009

Implementing TACACS on networking euipments turnsout to be very efficient interms of network users management.

Let me share some of the tips for configuring TACACS on Huawei equipments….but before that let me explain few concepts…for those not familiar…

TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol which provides access control for routers, network access servers and other networked computing devices via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services.

HWTACACS authorization based on the commands

HWTACACS authorization based on the commands

HWTACACS is the enhancement of TACACS that is an access control protocol defined in RFC 1492. Similar to RADIUS, HWTACACS implements AAA of multiple users by communicating with the HWTACACS server in the Server/Client model. HWTACACS is used to perform AAA on access users over PPP or Virtual Private Dial Network (VPDN) and login users.

Now..lets take a closer look into the configuration commands…

——– Creating a tacacs template which contains the Server information.—————-
#
hwtacacs-server template ht
hwtacacs-server authentication 1000
hwtacacs-server authorization
1001
hwtacacs-server accounting
1002
hwtacacs-server shared-key
#

———- Creating an AAA authorization,authentication & accounting scheme —————
#
aaa

authentication-scheme default
authentication-scheme l-h
authentication-mode local hwtacacs
authentication-scheme hwtacacs
authentication-mode hwtacacs
#
authorization-scheme default
authorization-scheme hwtacacs
authorization-mode hwtacacs
#
accounting-scheme default
accounting-scheme hwtacacs
accounting-mode hwtacacs
accounting realtime 3
#
domain default
domain domainname
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
hwtacacs-server ht
#


Now….Lets look at the Server Configuration….(OS : CentOS Linux)
/etc/tac_plus.conf

# tacacs configuration file
# Pierre-Yves Maunier - 20060713
# /etc/tac_plus.conf

# set the key
key = key

accounting file = /var/log/tac_plus.acct

# users accounts
user = useradmin {
default service = permit
login = cleartext “normal”
enable = cleartext “enable”

}

After the config file is saved… run the following command..

[root@centos]# tac_plus -C /etc/tac_plus.conf

Note: Feel free to comment if you got any doubts..

0 comments: