[Edgecore SONiC] TACACS+ for user authentication Follow
Reference model:
- Switch model name:
- AS7726-32X
- AS7326-56X
- AS7816-64X
- AS5835-54X(T)
- AS4630-54PE
- AS9716-32D
- AS8000(Minipack)
- Wedge100BF-32X
- Edgecore SONiC version:
- Edgecore-SONiC_20201123_130028_ec202006_74
- Edgecore-SONiC_20201229_070315_ec202006_101
- Edgecore-SONiC_20201229_070315_ec202006_bfn_65(Wedge100BF-32X)
Restriction:
- AAA only supports authentication.
- Known issue: In tacacs+ enviornment,you will face following warming message when you run command by sudo group.
admin@sonic:~$ sudo su
usermod: Permission denied.
usermod: cannot lock /etc/passwd; try again later.
usermod: Permission denied.
This issue is fixed in SONiC.Edgecore-SONiC_20201229_070315_ec202006_101.
Default Setting:
By default, AAA users local database for authentication.
Procedure :
Step 1. Set the management IP on the switch (Refer to this article)
Step 2. Add the TACACS Server host to the switch
Step 3. Set the TACACS authentication key (testing123 as example)
Step 4. check the TACACS server settings
Step 5. Use tacacs+ database for user authentication
admin@sonic:~$ sudo config aaa authentication login tacacs+
Step 6. check aaa settings
admin@sonic:~$ show aaa
AAA authentication login tacacs+
AAA authentication failthrough False (default)
Step 7. Save the setting to config_db.json
admin@sonic:~$ sudo config save -y
Result: User named "test" login to the SONiC by TACACS authentication
Appendix: TACACS+ server configuration
Step 1: Generate the login password by "tac_pwd"
[ Server Setting ] : Steps 1. Generate the login password by "tac_pwd" Server:~# tac_pwd Password to be encrypted: test BKe8b/ZgWAQ92 Server:~# tac_pwd Password to be encrypted: admin 9HYczqUTI2Aoo
Step 2: TACACS Server configuration.
Server:~# vi /etc/tacacs+/tac_plus.conf accounting file = /var/log/tac_plus.acct key = testing123 user = DEFAULT { login = PAM service = ppp protocol = ip {} } group = network_admin { default service = permit service = exec { priv-lvl = 15 } cmd = show { permit .* } } user = test { login = des BKe8b/ZgWAQ92 pap = des BKe8b/ZgWAQ92 member = network_admin } user = admin { login = des 9HYczqUTI2Aoo pap = des 9HYczqUTI2Aoo member = network_admin }
Comments
0 comments
Please sign in to leave a comment.