TACACS+ Authentication
PacketShaper 11.10 TACACS+ Authentication PacketShaper 11.10
Legal Notice
Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU.
Symantec Corporation 350 Ellis Street Mountain View, CA 94043 www.symantec.com
Friday, June 14, 2019
2 TACACS+ Authentication PacketShaper 11.10
Contents
Configure TACACS+ 4 Configure Linux TACACS+ Servers using the Cisco TACACS+ Daemon 4 Configure TACACS+ Authentication Service 5 Configure TACACS+ Accounting Service 7 Log In and Out with TACACS+ 9 Logging In with TACACS+ 9 Logging Out 9
3 TACACS+ Authentication PacketShaper 11.10
Configure TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol that provides access control via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services.
Steps:
1. First, configure the TACACS+ server with PacketShaper-specific attributes.
2. Configure the TACACS+ authentication service in PacketShaper.
3. Configure the TACACS+ accounting service in PacketShaper to have an audit trail of user logins.
4. Log into PacketShaper using TACACS+.
Configure Linux TACACS+ Servers using the Cisco TACACS+ Daemon
The PacketShaper TACACS+ client has been tested with the Cisco TACACS+ Daemon. This section includes instructions on configuring a Linux TACACS+ server with PacketShaper-specific information. These steps should be performed before you configure the TACACS+ authentication and TACACS+ accounting services via the PacketShaper browser or command-line interfaces. For more information on the general setup and configuration of your TACACS+ server, refer to the documentation included with the product.
Note: This procedure only is recommended for users with previous Linux experience.
Configure the TACACS+ Server
1. Install TACACS+ server from your Linux distribution. In Ubuntu: apt-get install tacacs+
2. To configure the TACACS+ server, update the TACACS+ user configuration file tac_plus.conf with information for each TACACS+ user. The example configuration text below shows how to define TACACS+ users with look or touch access and a clear text password, and a touch access user with an encrypted password.
Note: For additional details, refer to the users_guide file included with the Cisco TACACS+ files.
# set the secret key
4 TACACS+ Authentication PacketShaper 11.10
key = "
# where the accounting records should go accounting file = /var/log/tac_plus.acct
# users accounts user =
user =
user =
Variable Description
Start the TACACS+ Server
Once your user and password settings have been configured, issue the command to start the TACACS+ server. For example:
/etc/init.d/tacacs_plus start
Configure TACACS+ Authentication Service
TACACS+ authentication is an optional method for users to log into the PacketShaper browser interface and command-line interface. Using third-party TACACS+ servers enables you to have central configuration of user accounts.
In addition to configuring the server as described below, you need to do some configuration at the TACACS+ server so that it will work with PacketShaper. (See " Configure Linux TACACS+ Servers using the Cisco TACACS+ Daemon " on the previous pagefor an example.)
Note that the server you configure for TACACS+ authentication will also be used for authorization.
5 TACACS+ Authentication PacketShaper 11.10
To configure PacketShaper to work with a TACACS+ authentication server:
1. Click the Setup tab.
2. From the Choose Setup Page list, choose TACACS+ Client. The TACACS+ Client Settings screen appears.
3. In the Authentication field, select on.
4. Select an Authentication method:
n ASCII (American Standard Code for Information Interchange): With ASCII, the user name and password are transmitted in clear, unencrypted text. This is the default authentication method.
n PAP (Password Authentication Protocol): With PAP, the user name and password are transmitted in clear, unencrypted text. If you select the PAP authentication method, Symantec recommends you increase security by logging into the PacketShaper browser interface via HTTPS. ASCII or PAP authentication is required for TACACS+ configurations that require access to clear text passwords (for example, when passwords are stored and maintained in a database external to the TACACS+ server).
n CHAP (Challenge Handshake Authentication Protocol): In other environments, CHAP may be preferred for greater security. The TACACS+ server sends a challenge that consists of a session ID and an arbitrary challenge string, and the user name and password are encrypted before they are sent back to the server.
n MS-CHAP (Microsoft Challenge Handshake Authentication Protocol): This protocol is similar to CHAP, but with MS-CHAP authentication, the TACACS+ server can store an encrypted version of a user password to validate the challenge response. Standard CHAP authentication requires that the server stores unencrypted passwords. If you select the MS-CHAP authentication method, Symantec recommends you increase security by logging into the PacketShaper browser interface via HTTPS.
Note: MS-CHAP v1 and v2 are supported. PacketShaper attempts authentication with MS-CHAP v2 first. If the remote server doesn't support v2 or if authentication is denied, PacketShaper re-attempts
6 TACACS+ Authentication PacketShaper 11.10
authentication with MS-CHAP v1. When you change the TACACS+ authentication method for a PolicyCenter sharable configuration via the PolicyCenter browser interface, TACACS+ authentication returns to the default "off" setting for that configuration. If you change the authentication method via PolicyCenter browser interface, be sure to also reenable the TACACS+ authentication feature before you apply the changes.
Limitation: PacketShaper SSH and serial console connections do not support the PAP, MS-CHAP, and CHAP authentication methods with TACACS+. Regardless of which method the PacketShaper is configured to use for TACACS+ authentication, ASCII will be used when logging in to the CLI with SSH or serial console. Note that this limitation does not apply when logging in to the web UI: the configured method will be used during authentication.
5. In the Primary Authentication Host field, enter the IP address or DNS name of the TACACS+ server.
6. Optional: To access the TACACS+ server with a specific port, enter a number in the Port field.
If the field is left blank, the default port (49) will be used.
7. In the Shared Secret field, enter the designated secret.
8. Optional: Specify a Secondary Authentication Host to use in case the primary TACACS+ server is not accessible or failed to authenticate. Be sure to specify its Shared Secret as well.
9. If necessary, adjust the Timeout interval.
By default, PacketShaper waits 10 seconds for a response from the TACACS+ server before the login fails. You can select a value between 1 and 60 seconds.
10. Click apply changes.
After you have configured a TACACS+ authentication server, users will be prompted for a user name and password when logging into PacketShaper. For more information, see Log In and Out with TACACS+.
Note: Starting in PS 11.10.3, if the TACACS+ primary server has an authentication failure, PacketShaper attempts to log onto a configured secondary server; in earlier versions, PacketShaper attempted to log onto the secondary server only when the primary server had a connection failure and failed to respond.
Configure TACACS+ Accounting Service
If you want to have an audit trail for user logins, you can configure PacketShaper as a TACACS+ client and specify the accounting server settings. Once this is configured, PacketShaper will send a TAC_PLUS_ACCT_FLAG_START accounting message to the accounting server when a user logs in and a TAC_PLUS_ACCT_FLAG_STOP message when a user logs off or is disconnected.
To configure PacketShaper to work with a TACACS+ accounting server:
1. Click the Setup tab.
7 TACACS+ Authentication PacketShaper 11.10
2. From the Choose Setup Page list, choose TACACS+ Client. The TACACS+ Client Settings screen appears.
3. In the Accounting field, select on.
4. In the Primary Accounting Host field, enter the IP address or DNS name of the TACACS+ accounting server.
5. Optional: To access the TACACS+ server with a specific port, enter a number in the Port field.
If the field is left blank, the default port (49) will be used.
6. In the Shared Secret field, enter the designated secret.
7. Optional: Specify a Secondary Accounting Host to use in case the primary TACACS+ server is not accessible or failed to authenticate. Be sure to specify its Shared Secret as well.
8. If necessary, adjust the Timeout interval.
By default, PacketShaper waits 10 seconds for a response from the TACACS+ server before the login fails. You can select a value between 1 and 60 seconds.
9. Click apply changes.
Note: Starting in PS 11.10.3, if the TACACS+ primary server has an authentication failure, PacketShaper attempts to log onto a configured secondary server; in earlier versions, PacketShaper attempted to log onto the secondary server only when the primary server had a connection failure and failed to respond.
8 TACACS+ Authentication PacketShaper 11.10
Log In and Out with TACACS+
After the PacketShaper and the TACACS+ server are configured to work together, users can log in to PacketShaper using their TACACS+ credentials.
Caution: In PacketShaper versions prior to 11.10.3, CLI login using TACACS+ credentials wasnot active until the user first logged in through the browser interface. In other words, TACACS+ users had to login once through the browser before they could have CLI access. This additional step is no longer required in PS 11.10.3 and higher.
Even when TACACS+ is enabled, users can still log in with their local credentials (user name of look or touch). This allows the user to log in without authenticating through the TACACS+ server. This is especially useful when the TACACS+ server is down or if PacketShaper is unable to connect to the TACACS+ server. However, the local login technique does not record user names for auditing purposes. Logging In with TACACS+
After TACACS+ authentication and/or accounting is enabled, the user will be prompted for a user name and password when logging into the PacketShaper browser or command-line interface. The user name can be up to 63 ASCII characters and may include a realm. PacketShaper consults the configured TACACS+ server to determine whether the user has access to the unit and verifies that the password is correct. PacketShaper first tries the primary server, and if it doesn't respond within the specified timeout interval or if the connection is refused or reset, it attempts to connect to the secondary server (if configured).
Note: Starting in PS 11.10.3, if the TACACS+ primary server has an authentication failure, PacketShaper attempts to log onto a configured secondary server; in earlier versions, PacketShaper attempted to log onto the secondary server only when the primary server had a connection failure and failed to respond.
Any failed login attempts will be sent to a Syslog server, if one has been defined. Logging Out
For audit trail and security purposes, users should explicitly log out of PacketShaper:
n To log out of the browser interface, click the LOG OUT link in the banner.
n To log out of the command-line interface, type exit.
Logging out discards session content and generates a TACACS+ accounting TAC_PLUS_ACCT_FLAG_STOP message for the user. If a user doesn't explicitly log out, PacketShaper will automatically time out after one hour of inactivity (although the time may be learned per-session from the TACACS+ server). When a PacketShaper browser session times out, a "timed out" or "unknown session" message appears the next time the user
9 TACACS+ Authentication PacketShaper 11.10 attempts to use PacketShaper. When a remote login (such as Telnet) session times out, PacketShaper sends a "timed out" message and disconnects. Note that asynchronous sessions do not time out.
Note: When the Sky user interface has been loaded, the real-time graphs are constantly polling the PacketShaper so the session does not time out.
10