Using TACACS+ as an external authentication server for administration purposes is supported beginning with ScreenOS 6.0.0 and higher.
Note: TACACS+ is not supported for use as an authentication server for xauth or policy authentication.
On the firewall device, the TACACS server object needs to be configured. In this example, the TACACS server is called “external”. The CLI commands required for this are as follows:
set auth-server “external” id 1
set auth-server “external” server-name “192.168.1.33”
set auth-server “external” account-type admin
set auth-server “external” type tacacs
set auth-server “external” tacacs secret “QNM5OpXHNyCNyKsww1C+vDPFEpnHEFS+bw==”
set auth-server “external” tacacs port 49
Note: The TACACS secret is netscreen, but in the config file, it is hashed for security purposes.
The external server also has to be configured as an admin auth server:
set admin auth server “external”
set admin auth remote root
set admin privilege get-external
On the ACS server, the attributes need to be configured to match the desired admin user privilege needed. Launch the web interface via the ACSAdmin application. The steps are as follows:
Click Interface Configuration, and select TACACS+ (Cisco IOS)
Add a new service called “netscreen”, and leave the protocol field blank
Check both the user and group check box.
Click Submit
Once the “netscreen” service is defined, the attributes per user can be defined. On the user configuration, scroll down to the bottom, and check the “netscreen” (this is case sensitive) check box, and the “Custom attributes” check box. Specify the attributes in the custom attributes field.
The custom attributes you can specify are as follows:
Root | Root RW | Root RO | VSYS RW | VSYS RO | |
vsys= | root | root | root | vsys-name | vsys-name |
privilege= | root | read-write | read-only | vsys-read-write | vsys-read-only |
For example, let’s assume you want to configure attributes for read-write users in the root vsys. The attributes you would specify are:
vsys=root
privilege=read-write
Note: If not using the Cisco ACS server as the TACACS server, the config file should be formatted as shown in the below example (using vsys = root, and privilege = root):
group = root {
service = netscreen {
vsys = root
privilege = root
}
}
user = joe {
login = cleartext joe
service = netscreen {
vsys = root
privilege = root
}
im not using cisco, rather using linux as server on which i have installed tacacs server… now when i add user joe in file /etc/tacacs.conf,,, where will i set its password???i dont have to set it on ssg5…so how and where will i set password for joe on tacacs server that is to be tried from ssg5 for authentication