How to achieve AAA Authentication through TACACS + server on the switch

T1600G-18TS , TL-SG2008P , TL-SG2210P , T2500G-10TS , SG2210MP , TL-SX3008F , TL-SL2428P , TL-SX3016F , S4500-8G , SG2218 , SG3428 , TL-SG3452P , TL-SG3428X , SL2428P , S4500-8GHP2F , T3700G-52TQ , S4500-16G2F , T2600G-18TS , TL-SG2210MP , SG3210 , SG3452 , TL-SG3210XHP-M2 , S5500-24GP4XF , T1600G-52PS , TL-SG2428P , T1600G-52TS , T3700G-28TQ , T1500G-8T , SG2428LP , Festa FS308GP , SX3008F , SG3428MP , SG3428X , T2600G-52TS , SG3452P , SX3016F , SG2428P , SG2008P , TL-SG3428 , TL-SG2218 , SG2210P , T1700X-16TS , S5500-8MHP2XF , TL-SG3428MP , TL-SG2008 , T1700G-28TQ , T1500-28PCT , T2600G-28SQ , TL-SG3210 , TL-SG3452 , Festa FS310GP , SG3428XMP , TL-SG3428XMP
Recent updates may have expanded access to feature(s) discussed in this FAQ. Visit your product's support page, select the correct hardware version for your device, and check either the Datasheet or the firmware section for the latest improvements added to your product. Please note that product availability varies by region, and certain models may not be available in your region.
TACACS + encrypts the whole message, and the authentication and authorization can be separated. The username and password can be verified respectively, which is better than the security of radius. It is suitable for scenarios requiring high security.
Note: At present, 802.1X authentication of switch only supports the use with radius server. The functional configuration of TACACS + server only includes authentication and authorization, and the billing function can not be used.
Part 1. Build a simple TACACS + server on a Linux system
Step 1. TACACS+ installation
TACACS+ package is available in the Ubuntu repositories, enter the following command in root mode to install
apt-get install tacacs+
Step 2. TACACS+ configuration
Once that is installed, we proceed to configure the TACACS+ server to our needs. On a default installation, the configuration file is found here /etc/tacacs+/tac_plus.conf Open the file with your favorite editor and make changes as below.
vi /etc/tacacs+/tac_plus.conf
#Make this a strong key
key = tplink2021
# Using local PAM which allows us to use local Linux users
default authentication = file /etc/passwd
#Define groups that we shall add users to later
#In this example I have defined 3 groups and assign them respective privileges. Test1 is administrator privilege, test2 and test3 are user privilege, but test3 can obtain administrator privilege according to the set additional password. The password is automatically generated according to the command tac_pwd as below.
group = test1 {
default service = permit
service = exec {
priv-lvl = 15
}
}
group = test2 {
default service = deny
service = exec {
priv-lvl = 1
}
}
group = test3 {
default service = permit
login = file/etc/passwd
enable = Gbptgx46GpgrA
service = exec {
priv-lvl = 2
}
}
#Defining my users and assigning them to groups above
user = manager {
member = test1
}
user = user1 {
member = test2
}
user = user2 {
member = test3
}
Priv-lvl has 15 levels and four different management permissions on the switch:
1~4:User permissions, which can only be viewed and set, cannot be edited and modified, and L3 features cannot be viewed
5~9: Super user permission, you can view, edit, and modify some functions, such as VLAN, HTTPS config, Ping, etc
10~14: Operator permissions. On the basis of super user permissions, you can also perform lag, MAC address, access control, SSH config and other functions
15: Administrator privileges, you can view, edit, and modify all functions
#Save and exit the edited file of tac_plus.conf, create relevant users and set passwords on Linux system.
adduser manager
adduser user1
adduser user2
Step 3. TACACS+ start
# Start listening to port 49, indicating that the startup is successful.
/etc/init.d/tacacs_plus start
Note: After each modification of the configuration file, restart the TACACS + server.
Part 2. Configurations on the switch
Taking the topology in the following figure as an example, the management interface of the login switch needs to be authenticated by TACACS + server to ensure the security of the network.
Step 1. Choose the menu SECURITY > AAA > TACACS+ Config and click Add to load the following page. Configure the Server IP as 192.168.0.100, the Shared Key as tplink2021, the Server Port as 49.
Step 2. Choose the menu SECURITY > AAA > Method Config and click in the Authentication Login Method Config section. Specify the Method List Name as default and select the Pri1 as tacacs.
Step 3. On the same page, click in the Authentication Enable Method Config. Specify the Method List Name as default and select the Pri1 as tacacs. Click Create to set the method list for the Enable password authentication
Case 1. All login switch management methods need to be authenticated by TACACS + server
Choose the menu SECURITY > AAA > Global Config to load the following page. In the AAA Application Config section, select all Modules the Login Method and Enable Method as default.
At this point, the configuration of the switch is completed. Neither HTTP nor TELNET can log in to the management interface with the default admin account through client.
Case 2. Except Telnet, all login switch management methods need to be authenticated by TACACS + server.
Choose the menu SECURITY > AAA > Method Config and click in both the Authentication Login Method Config section and Authentication Enable Method Config section. Specify the Method List Name as telnet and select the Pri1 as local in the both sections.
Choose the menu SECURITY > AAA > Global Config to load the following page. In the AAA Application Config, select the Module of telnet the Login Method and Enable Method as telnet.
At this point, you can use the default admin account to log in to the switch through telnet.
Case 3. When logging in with user authority, set an additional administrator password on the TACACS + server, and enter the set password in the interface below to upgrade from user authority to administrator authority.
Related FAQs
Чи була ця стаття корисною?
Ваш відгук допомагає вдосконалити цей сайт.
What’s your concern with this article?
- Dissatisfied with product
- Too Complicated
- Confusing Title
- Does not apply to me
- Too Vague
- Other
Thank you
We appreciate your feedback.
Click here to contact TP-Link technical support.
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again
This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again
Basic Cookies
These cookies are necessary for the website to function and cannot be deactivated in your systems.
TP-Link
accepted_local_switcher, tp_privacy_base, tp_privacy_marketing, tp_smb-select-product_scence, tp_smb-select-product_scenceSimple, tp_smb-select-product_userChoice, tp_smb-select-product_userChoiceSimple, tp_smb-select-product_userInfo, tp_smb-select-product_userInfoSimple, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType
Livechat
__livechat, __lc2_cid, __lc2_cst, __lc_cid, __lc_cst, CASID
Youtube
id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ
Analysis and Marketing Cookies
Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.
The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.
Google Analytics & Google Tag Manager
_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>
Google Ads & DoubleClick
test_cookie, _gcl_au
Meta Pixel
_fbp
Crazy Egg
cebsp_, _ce.s, _ce.clock_data, _ce.clock_event, cebs
lidc, AnalyticsSyncHistory, UserMatchHistory, bcookie, li_sugr, ln_or