How to configure TACACS+ Authentication on switches via Omada Controller
Contents
This article describes how to implement TACACS+ authentication on the switch via CLI templates on the Omada Controller.
- Omada Smart / L2+ / L3 switches
- Omada Controller (Software Controller / Hardware Controller / Cloud-Based Controller, V5.9 and above)
To enhance network security, we can use TACACS+ to implement access control on switches. For example, when a client connected to a switch needs to access the switch via the SSH protocol, it must first pass the authentication process. In the following network topology, TACACS+ can be configured on the Omada Controller via CLI templates to ensure that only authenticated users can access the switch.
Step 1. Install the TACACS+ Server in Ubuntu 20.04 (or above) via the following steps:
1. Download the latest source file of the TACACS+ Server at ftp://ftp.shrubbery.net/pub/tac_plus.
2. Unzip the source file: tar -zxvf tacacs-F4.0.4.28.tar.gz
3. Access the unzipped files: cd /path/to/tacacs-F4.0.4.28
4. Enter ./configure. If an error message is displayed, execute the command sudo apt-get install libwrap0-dev flex bison.
5. Execute sudo make install.
6. Add an include path: sudo vi /etc/ld.so.conf. After modification, save the settings and exit. Go to the terminal to execute sudo ldconfig.
Step 2. Configure the TACACS+ Server.
1. Use the command sudo mkdir /etc/tacacs+ to create a new folder.
2. Create a config file tac_plus.conf in the path /etc/tacacs+: touch tac_plus.conf
3. Modify the config file tac_plus.conf: sudo vi /etc/tacacs+/tac_plus.conf
You can copy the following command lines to the config file tac_plus.conf as an attempt.
#Make this a strong key
key = tplink_123
# Using local PAM which allows us to use local Linux users
default authentication = file /etc/passwd
#Define groups that we shall add users to later
group = test1 {
default service = permit
service = exec {
priv-lvl = 15
}
}
group = test2 {
default service = deny
service = exec {
priv-lvl = 1
}
}
group = test3 {
default service = permit
login = file /etc/passwd
service = exec {
priv-lvl = 2
}
}
#Defining my users and assigning them to groups above
user = manager {
member = test1
}
user = user1 {
member = test2
}
user = user2 {
member = test3
}
Save and exit the edited file of tac_plus.conf, create relevant users and set passwords on Linux system.
Priv-lvl has 15 levels and four different management permissions on the switch:
1~4: User permission. Users can only view, but not edit or modify the settings. L3 features cannot be viewed.
5~9: Super user permission. Super users can view, edit, and modify some functions, such as VLAN, HTTPS config, Ping, etc.
10~14: Operator permission. On the basis of super user permission, operators can also configure LAG, MAC address, access control, SSH config and other settings.
15: Administrator privilege. Administrator can view, edit, and modify all functions.
Note: Switches that have been adopted by the Omada Controller cannot be configured via CLI.
Step 3. Restart the TACACS+ Server and add users. Every time after modify the tac_plus.conf file, you need to restart the TACACS+ Server. Use the command sudo tac_plus -C /etc/tacacs+/tac_plus.conf to restart and the command adduser to add users and set passwords in the Linux system.
adduser manager
adduser user1
adduser user2
Note: Here “manager”, “user1”, and “user2” correspond respectively to the users configured in the tac_plus.conf file. Similarly, to add new users, you need to add them in the tac_plus.conf file and restart the TACACS+ Server.
Step 4. Set the CLI templates on the Omada Controller. Go to Settings >CLI Configuration >Device CLI and click Create New Device CLI Profile.
Specify the name and enter the following CLI commands. The CLI commands here is used to assign the IP address, port, and sharing secret to the TACACS+ Server and to implement TACACS+ authentication when the switch is accessed via the SSH protocol.
tacacs-server host 192.168.0.30 port 49 timeout 5 key 0 tplink_123
aaa authentication login test tacacs
line ssh
login authentication test
Select the target switch in the pop-up window of Choose Device and click Confirm. Then click Save to save the settings.
Go to Settings > Services > SSH to enable SSH Login and click Apply.
When using PuTTY to access the switch via SSH, username and password set in the TACACS+ Server are required for login.
You have successfully configured the TACACS+ Server to control client access to the switch.
Get to know more details of each function and configuration please go to Download Center to download the manual of your product.