TACACS

NVOS implements TACACS+ client AAA in a transparent way with minimal configuration. The client implements the TACACS+ protocol as described in this IETF document. There is no need to create accounts or directories on the switch. Accounting records go to all configured TACACS+ servers by default.

TACACS+ in NVOS:

• Uses PAM authentication and includes login, ssh, sudo and su.

• Allows users with privilege level 15 to run any command with sudo.

• Allows users with privilege level 15 to run NVUE nv set, nv unset, and nv apply commands in addition to nv show commands. TACACS+ users with a privilege level 7 can only execute nv show commands. Other privilege users have no permissions.

• Supports up to eight TACACS+ servers. Be sure to configure your TACACS+ servers in addition to the TACACS+ client. Refer to your TACACS+ server documentation.

• Authentication using PAM: includes login, ssh, sudo and su

• Runs over the eth0 management interface

• Up to eight TACACS+ servers

TACACS configuration is made of global configurations and per-server configurations. In general, if per-server configuration is not defined, the configuration will be taken from the global configuration.

All nv tacacs commands can be found in TACACS Commands, where global ones are direct under /system/aaa/tacacs and per-server ones or under /system/aaa/tacacs/hostname/<hostname-id>.

NVOS supports three types of RADIUS users defined by priv-lvl configured in TACACS server.

• priv-lvl=15 # admin privileged users (nv set, nv config apply)

• priv-lvl=7 # monitor privileged users (nv show)

• priv-lvl=1 # non-privileged users (no nv commands access

TACACS Server Setup and Usage Example

TACACS server can be configured either on a remote host or on the switch itself (for testing or sanity-check).

Basic configuration for users and clients can be done in /etc/tacplus_nss.conf file.

Users Configuration

            

            
user = username {
        login = cleartext "login_password"
        pap = cleartext "pap_password"
        service = exec {
        priv-lvl=<15,7,1>
        }
}
        

Client Configuration

Client configuration allows specific client IPs and CIDR blocks.

            

            
key = "client-secret"
and:
acl = default   {
                #permit = 192\.168\.0\.
                permit = 10\.7\.140\.30
                permit = .*
}
        

After configuring a tacacs server, configure the client:

            

            
admin@nvos:~$ nv set system aaa tacacs hostname <tacacs-server-ip> secret tacacs-secret
admin@nvos:~$ nv set system aaa authentication order tacacs,local
admin@nvos:~$ nv config apply -y
        

TACACS Accounting Configuration

TACACS accounting logs user activity and commands executed on the system, providing an audit trail for security and compliance. It ensures accountability by sending these logs to configured TACACS+ servers. The logs will be sent to the first server to respond.

TACACS accounting is managed under the /etc/tacplus_nss.conf file.

After configuring a TACACS server and client, enable accounting with the command nv set system aaa tacacs accounting state enabled.

Configure the following required settings on the switch (the TACACS+ client).

• Set the IP address or hostname of at least one TACACS+ server.

• Set the secret (key) shared between the TACACS+ server and client.

If you use NVUE commands to configure TACACS+, you must also set the priority for the authentication order for local and TACACS+ users.

NVUE commands require you to specify the priority for each TACACS+ server. You must set a priority even if you only specify one server.

The following example commands set:

• The TACACS+ server priority to 5.

• The IP address of the server to 192.168.0.30.

• The secret to abcdefghijklmnopqrstuvwxyz.

If you include special characters in the password (such as $), you must enclose the password in single quotes (').

• The authentication order so that TACACS+ authentication has priority over local (the lower number has priority).

            

            
admin@nvos:~$ nv set system aaa tacacs server 192.168.0.30 priority 5
admin@nvos:~$ nv set system aaa tacacs server 192.168.0.30 secret abcdefghijklmnopqrstuvwxyz 
admin@nvos:~$ nv set system aaa authentication order tacacs,local
admin@nvos:~$ nv config apply
        

If you want the server to use IPv6, you must add the nv set system aaa tacacs server <server-id> prefer-ip-version 6 command:

            

            
admin@nvos:~$ nv set system aaa tacacs server SERVER1 priority 5
admin@nvos:~$ nv set system aaa tacacs server SERVER1 prefer-ip-version 6
...
        

If you configure more than one TACACS+ server, you need to set the priority for each server. If the switch cannot establish a connection with the server that has the highest priority, it tries to establish a connection with the next highest priority server. The server with the lower number has the higher priority. In the example below, server 192.168.0.30 with a priority value of 5 has a higher priority than server 192.168.1.30, which has a priority value of 8. NVOS allows to configure up to 8 servers with unique priority 1 to 8.

            

            
admin@nvos:~$ nv set system aaa tacacs server 192.168.0.30 priority 5
admin@nvos:~$ nv set system aaa tacacs server 192.168.0.30 secret abcdefghijklmnopqrstuvwxyz 
admin@nvos:~$ nv set system aaa tacacs server 192.168.1.30 priority 8
admin@nvos:~$ nv set system aaa tacacs server 192.168.0.30 secret zyxwvutsrqponmlkjihgfedcba
admin@nvos:~$ nv config apply
        

You can configure the following optional TACACS+ settings:

• The port to use for communication between the TACACS+ server and client. By default, NVOS uses IP port 49.

• The TACACS timeout value, which is the number of seconds to wait for a response from the TACACS+ server before trying the next TACACS+ server. You can specify a value between 0 and 60. The default is 5 seconds.

• The TACACS+ authentication type. You can specify PAP to send clear text between the user and the server, CHAP to establish a PPP connection between the user and the server, or login. The default is PAP.

The following example commands set the timeout to 10 seconds and the TACACS+ server port to 32:

            

            
admin@nvos:~$ nv set system aaa tacacs timeout 10
admin@nvos:~$ nv set system aaa tacacs server SERVER1 port 32
admin@nvos:~$ nv config apply
        

The following example command sets the global authentication type to CHAP:

            

            
admin@nvos:~$ nv set system aaa tacacs authentication mode chap
admin@nvos:~$ nv config apply
        

By default, TACACS+ performs authorization locally to ensure optimal performance.

However, it is possible to configure TACACS+ to perform authorization for every new connection using the nv set system aaa authorization mode command.

Show TACACS+ Configuration

Run the following commands to show TACACS+ configuration:

• To show all TACACS+ configuration (NVUE hides server secret keys), run the nv show system aaa tacacs command.

• To show TACACS+ authentication configuration, run the nv show system aaa tacacs authentication command.

• To show TACACS+ accounting configuration, run the nv show system aaa tacacs accounting command.

• To show TACACS+ server configuration, run the nv show system aaa tacacs server command.

• To show TACACS+ server priority configuration, run the nv show system aaa tacacs server <priority-id> command.

• To show the list of users excluded from TACACS+ server authentication, run the nv show system aaa tacacs exclude-user command.

The following example command shows all TACACS+ configuration:

            

            
admin@nvos:~$ nv show system aaa tacacs
                    applied
------------------  -------   
timeout             5         
accounting                 
  state             enabled    
authentication             
  mode              pap        
[server]            5      
[server]            8 
        

Incorrect Shared Key

The TACACS client on the switch and the TACACS server must have the same shared secret key. If this key is incorrect, the following message prints to syslog:

            

            
2017-09-05T19:57:00.356520+00:00 leaf01 sshd[3176]: nss_tacplus: TACACS+ server 192.168.0.254:49 read failed with protocol error (incorrect shared secret?) user admin
        

Debug Issues with Accounting Records

If you add or delete TACACS+ servers from the configuration files, make sure you notify the audisp plugin with this command:

            

            
 admin@nvos:~$ sudo killall -HUP audisp-tacplus
        

If accounting records do not send, add debug=1 to the /etc/audisp/audisp-tac_plus.conf file, then run the command above to notify the plugin. Ask the TACACS+ user to run a command and examine the end of /var/log/syslog for messages from the plugin. You can also check the auditing log file /var/log/audit audit.log to be sure the auditing records exist. If the auditing records do not exist, restart the audit daemon with:

            

            
 admin@nvos:~$ sudo systemctl restart auditd.service
        

TACACS+ Client Configuration Files

The following table describes the TACACS+ client configuration files that NVOS uses.

• TACACS Commands