TACACS+ server setup for ZD login
Summary
This article discusses the setup involved in using TACACS+ server in the backend in order to login to the ZD.Question
What do I need to configure on the ZD to let users on the TACACS+ server login?Customer Environment
ZD managed wireless network. TACACS+ server in the backend containing user database.Root Cause
Use an external user database such as TACACS+ to login to the ZD.Resolution
TACACS+ servers are typically used to provide centralized authentication service to login to various network devices. They could be Cisco network devices such as routers, and controllers or any non-Cisco devices such as Ruckus ZoneDirector.The key is to configure user database on the TACACS+ server and point the network device to this server for logging into the network device.
Please follow the setup process as described below:
A. Create a local user accounts and group accounts as described below (exact setup will depend on the TACAC+ server's vendor. It is better to consult their documentation. Some of them may provide GUI based setup as well with easy to follow instructions.)
######################
# CONFIGURE GROUP
######################
# Network Administrator group
group = netadmin {
# netadmin group for super admin access
default service = permit
service = zd-login {
priv-lvl = 15
}
}
# Regular user group
group = regularusers {
# regular users will be added to this group
default service = permit
service = zd-login {
priv-lvl = 1
}
}
######################
# CONFIGURE USERS
######################
# Netadmin users
# Note that there is no password entry
# TACACS+ daemon will query the /etc/passwd file for this user
user = spope {
member = netadmin
}
# Users with limited privileges
user = jkeith {
member = regularusers
login = cleartext "securepassword123"
}
----------
Notes:
i. Privilege level of 15 gives the user super admin privileges. Other privilege levels will limit the logged user to monitor privileges.
ii. If the password is not defined for any user those user's credentials will be verified looking inside the /etc/passwd file as the comment above mentioned
iii. Above group/user setup goes into a file called /etc/tac-plus/tacacs.conf. Again exact location of such file and configuration will depend on the specific TACACS+ server model.
iv. Above "service" parameter is set to zd-login. Please make a note of it. We will visit this in step C below.
v. Above snippet is taken from "Network Administrators Survival Guide" published by Cisco Press.
----------
B. Define a "key" which will be shared by TACAC+ server and the network device such as Ruckus ZoneDirector. This will be used by this server and the ZD to encrypt the communication between them.
#######################
# CONFIGURE ENCYPTION KEY
key = VerYs3cr3taqskey
#######################
C. Now go to the ZD and setup a new AAA server entry under the "AAA Servers" configuration page. Here you need to specify the following parameters:
i. TACACS+ server's IP
ii. Port #
iii. Shared secret - this is the key defined on the TACACS+ server side as explained on step B above.
iv. TACACS+ Service - this should match the "service" parameter defined in step A below.
D. Once the TACACS+ server is defined, you can test it using the "Test Authentication Settings" section on the same ZD page.
E. Now point ZD login users to the TACACS+ server, you have to go to Administer --> Preferences page and select "Authenticate with Auth Server" radio button. Choose the TACACS+ server define in Step C from the dropdown. You can leave "Fallback to admin name/password if failed" option checked for a fallback mechanism in case the TACACS+ server is not reachable.
Article Number:
000003050
Updated:
May 06, 2021 12:01 AM (almost 3 years ago)
Tags:
Configuration, System Network Management, ZoneDirector
Votes:
0
This article is:
helpful
not helpful