14: User Authentication
EMGâ„¢ Edge Management Gateway User Guide 313
TACACS+
Similar to RADIUS, the main function of TACACS+ is to perform authentication for remote access.
The EMG supports the TACACS+ protocol (not the older TACACS or XTACACS protocols).
The system administrator can configure the EMG unit to use TACACS+ to authenticate users
attempting to log in using the Web, Telnet, SSH, or the console port.
Users who are authenticated through TACACS+ are granted device port access through the port
permissions on this page.
All TACACS+ users are members of a group with associated predefined user rights. You may add
additional user rights that are not defined by the group.
TACACS+ Groups
This section describes how a priv_lvl assigned to a TACACS+ user can be mapped to a EMG
custom Groups, which will set the permissions and port rights for a TACACS+ user when they
login to the EMG.
TACACS+ users are typically configured to have a privilege level 0-15, with each level
representing a privilege level that is a superset of the next lower value. The privilege level can be
assigned to individual users, or to groups that the user is a member of. When the EMG
authenticates a TACACS+ user, it will first send an authentication request to the TACACS+ server,
and wait for an authentication reply. If the user is successfully authenticated, the EMG will next
send an authorization request to the TACACS+ server with the Service and optional Protocol.
The EMG will wait for an authorization response that will indicate if the user was successfully
authorized for the requested service and protocol, and also contains a set of attribute-value pairs
which define the attributes associated with the TACACS+ user.
The priv_lvl or priv-lvl is the only attribute sent from the TACACS+ server that the EMG will
recognize and utilize. The privilege level number will be used to map to a EMG custom user group
by finding a group with a name that ends in the same number as the priv_lvl. For example, a EMG
group called "admin15" will map to any TACACS+ users with priv_lvl equal to 15; a EMG group
called "manager8" will map to any TACACS+ users with priv_lvl equal to 8, and a EMG group
called "readonly0" will map to any TACACS+ users with priv_lvl equal to 0. If two EMG groups
ending with the same number exist, the EMG will select the first matching group it finds while
searching the group list; for consistency it is recommended that only one EMG group exist for each
priv_lvl.
When a TACACS+ user authenticates to the EMG, the Authentication Log will record any priv_lvl
attribute-value pair returned by the TACACS+ server:
Sep 21 15:44:38 2017 slc431d SLC-SLB/x15login[2839]:
pam_sm_authenticate: server returned attribute `PRIV_LVL=14'
Any priv_lvl obtained for a TACACS+ user can also be viewed at the CLI with the show user
command.
To configure the EMG unit to use TACACS+ to authenticate users:
1. Click the TACACS+ tab and select TACACS+. The following page displays.
To Next Page
Loading...
Need help?
General
