TACACS+ Authentication PacketShaper 11.10 TACACS+ Authentication PacketShaper 11.10 Legal Notice Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 www.symantec.com Friday, June 14, 2019 2 TACACS+ Authentication PacketShaper 11.10 Contents Configure TACACS+ 4 Configure Linux TACACS+ Servers using the Cisco TACACS+ Daemon 4 Configure TACACS+ Authentication Service 5 Configure TACACS+ Accounting Service 7 Log In and Out with TACACS+ 9 Logging In with TACACS+ 9 Logging Out 9 3 TACACS+ Authentication PacketShaper 11.10 Configure TACACS+ Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol that provides access control via one or more centralized servers. TACACS+ provides separate authentication, authorization and accounting services. Steps: 1. First, configure the TACACS+ server with PacketShaper-specific attributes. 2. Configure the TACACS+ authentication service in PacketShaper. 3. Configure the TACACS+ accounting service in PacketShaper to have an audit trail of user logins. 4. Log into PacketShaper using TACACS+. Configure Linux TACACS+ Servers using the Cisco TACACS+ Daemon The PacketShaper TACACS+ client has been tested with the Cisco TACACS+ Daemon. This section includes instructions on configuring a Linux TACACS+ server with PacketShaper-specific information. These steps should be performed before you configure the TACACS+ authentication and TACACS+ accounting services via the PacketShaper browser or command-line interfaces. For more information on the general setup and configuration of your TACACS+ server, refer to the documentation included with the product. Note: This procedure only is recommended for users with previous Linux experience. Configure the TACACS+ Server 1. Install TACACS+ server from your Linux distribution. In Ubuntu: apt-get install tacacs+ 2. To configure the TACACS+ server, update the TACACS+ user configuration file tac_plus.conf with information for each TACACS+ user. The example configuration text below shows how to define TACACS+ users with look or touch access and a clear text password, and a touch access user with an encrypted password. Note: For additional details, refer to the users_guide file included with the Cisco TACACS+ files. # set the secret key 4 TACACS+ Authentication PacketShaper 11.10 key = "<key>" # where the accounting records should go accounting file = /var/log/tac_plus.acct # users accounts user = <username> { login = cleartext "<password>" before authorization "echo \"access=touch\"; exit 2" name = "<username> touch login" } user = <username> { login = cleartext "<password>" before authorization "echo \"access=look\"; exit 2" name = "<username> look login" } user = <username> { login = des "<encrypt_pwd>" before authorization "echo \"access=touch\"; exit 2" name = "<username> touch login" } Variable Description <key> the TACACS+ secret key <username> User name of the TACACS+ user <password> Clear text password for a TACACS+ user <encrypt_ Encrypted password for a TACACS+ pwd> user Start the TACACS+ Server Once your user and password settings have been configured, issue the command to start the TACACS+ server. For example: /etc/init.d/tacacs_plus start Configure TACACS+ Authentication Service TACACS+ authentication is an optional method for users to log into the PacketShaper browser interface and command-line interface. Using third-party TACACS+ servers enables you to have central configuration of user accounts. In addition to configuring the server as described below, you need to do some configuration at the TACACS+ server so that it will work with PacketShaper. (See " Configure Linux TACACS+ Servers using the Cisco TACACS+ Daemon " on the previous pagefor an example.) Note that the server you configure for TACACS+ authentication will also be used for authorization. 5 TACACS+ Authentication PacketShaper 11.10 To configure PacketShaper to work with a TACACS+ authentication server: 1. Click the Setup tab. 2. From the Choose Setup Page list, choose TACACS+ Client. The TACACS+ Client Settings screen appears. 3. In the Authentication field, select on. 4. Select an Authentication method: n ASCII (American Standard Code for Information Interchange): With ASCII, the user name and password are transmitted in clear, unencrypted text. This is the default authentication method. n PAP (Password Authentication Protocol): With PAP, the user name and password are transmitted in clear, unencrypted text. If you select the PAP authentication method, Symantec recommends you increase security by logging into the PacketShaper browser interface via HTTPS. ASCII or PAP authentication is required for TACACS+ configurations that require access to clear text passwords (for example, when passwords are stored and maintained in a database external to the TACACS+ server). n CHAP (Challenge Handshake Authentication Protocol): In other environments, CHAP may be preferred for greater security. The TACACS+ server sends a challenge that consists of a session ID and an arbitrary challenge string, and the user name and password are encrypted before they are sent back to the server. n MS-CHAP (Microsoft Challenge Handshake Authentication Protocol): This protocol is similar to CHAP, but with MS-CHAP authentication, the TACACS+ server can store an encrypted version of a user password to validate the challenge response. Standard CHAP authentication requires that the server stores unencrypted passwords. If you select the MS-CHAP authentication method, Symantec recommends you increase security by logging into the PacketShaper browser interface via HTTPS. Note: MS-CHAP v1 and v2 are supported. PacketShaper attempts authentication with MS-CHAP v2 first. If the remote server doesn't support v2 or if authentication is denied, PacketShaper re-attempts 6 TACACS+ Authentication PacketShaper 11.10 authentication with MS-CHAP v1. When you change the TACACS+ authentication method for a PolicyCenter sharable configuration via the PolicyCenter browser interface, TACACS+ authentication returns to the default "off" setting for that configuration. If you change the authentication method via PolicyCenter browser interface, be sure to also reenable the TACACS+ authentication feature before you apply the changes. Limitation: PacketShaper SSH and serial console connections do not support the PAP, MS-CHAP, and CHAP authentication methods with TACACS+. Regardless of which method the PacketShaper is configured to use for TACACS+ authentication, ASCII will be used when logging in to the CLI with SSH or serial console. Note that this limitation does not apply when logging in to the web UI: the configured method will be used during authentication. 5. In the Primary Authentication Host field, enter the IP address or DNS name of the TACACS+ server. 6. Optional: To access the TACACS+ server with a specific port, enter a number in the Port field. If the field is left blank, the default port (49) will be used. 7. In the Shared Secret field, enter the designated secret. 8. Optional: Specify a Secondary Authentication Host to use in case the primary TACACS+ server is not accessible or failed to authenticate. Be sure to specify its Shared Secret as well. 9. If necessary, adjust the Timeout interval. By default, PacketShaper waits 10 seconds for a response from the TACACS+ server before the login fails. You can select a value between 1 and 60 seconds. 10. Click apply changes. After you have configured a TACACS+ authentication server, users will be prompted for a user name and password when logging into PacketShaper. For more information, see Log In and Out with TACACS+. Note: Starting in PS 11.10.3, if the TACACS+ primary server has an authentication failure, PacketShaper attempts to log onto a configured secondary server; in earlier versions, PacketShaper attempted to log onto the secondary server only when the primary server had a connection