Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

close
keyboard_arrow_left
CTPView Network Management System
Table of Contents Expand all
list Table of Contents
file_download PDF
keyboard_arrow_right

Configuring the TACACS+ Server

date_range 26-May-23

When installed on a server that uses the CentOS operating system, CTPview allows the TACACS+ authenticated user to log in through SSH and HTTPS.

Users are authenticated in the following order:

  • By the TACACS+ server

  • By the local user account

You can add the same user to the TACACS+ server and the local CTPView system.

Configuring the TACACS+ Server’s Configuration Files

You can use any TACACS+ server that complies with the TACACs+ RFC "The TACACs+ Protocol" (January 1997). You can download the TACACs+ server that we refer to here (v1.2) from the TACACs.net website at http://tacacs.net/download.asp. This version contains four configuration files. To modify the configuration files, you must log in to the TACACs+ server as an administrator.

  • Authentication.xml—Modify this file to add a new user on the TACACS+ server. To add a new user, you must a add new user group and the user under the <UserGroups> tag.

    content_copy zoom_out_map
    <UserGroups>
    <UserGroup>
    <Name>TACACS_User1</Name>
    <AuthenticationType>File</AuthenticationType>
    <Users>
    <User>
    <Name> TACACS_User1</Name>
    <LoginPassword ClearText="PASSWORD" DES="">
    </LoginPassword>
    <EnablePassword ClearText="" DES=""></EnablePassword>
    <CHAPPassword ClearText="" DES=""> </CHAPPassword>
    <OutboundPassword ClearText="" DES="">
    </OutboundPassword>
    </User>
    </Users>
    </UserGroup>
    </UserGroups>
  • Authorization.xml—Modify this file to define the authorization level for the user. To define authorization levels, you must add the user group added in Authentication.xml file to this file under the <Authorization> tag.

    content_copy zoom_out_map
    <Authorization>
    <UserGroups>
    <UserGroup>TACACS_User1</UserGroup>
    </UserGroups>
    <Services>
    <Service>
    <Set>service=juniper_ctp_srvc</Set>
    <Set>protocol=unknown</Set>
    <Set>juniper_ctpview_https=1</Set>
    </Service>
    </Services>
    </Authorization>

    The CTP device uses the juniper_ctp_srvc service to access TACACS+ . This service is used only to access TACACS+ and cannot be changed in the Authorization.xml file.

    To define the authorization level, you can assign a user to any or all of the following groups:

    • CTP Device CLI–SSH

    • CTPView CLI–SSH

    • CTPView Web–HTTPS

    The level of authorization for each user is specified in the <Set> tag under the <Service> tag.

    Use the attributes and values shown in Table 1 for HTTPS access to CTPView.

    Table 1: Attributes and Values for HTTPS Access

    Attribute

    Value

    Global_Admin

    juniper_ctpview_https=1

    Net_Admin

    juniper_ctpview_https=2

    Net_View

    juniper_ctpview_https=3

    Net_Diag

    juniper_ctpview_https=4

    Use the attributes and values shown in Table 2 for SSH access to CTPView.

    Table 2: Attributes and Values for SSH Access to CTPView

    Attribute

    Value

    Web Manager

    juniper_ctpview_cli=1

    System Admin

    juniper_ctpview_cli=2

    Auditor

    juniper_ctpview_cli=3

    Use the attributes and values shown in Table 3 for SSH access to CTP devices.

    Table 3: Attributes and Values for SSH Access to CTP Devices

    Attribute

    Value

    Read_Only

    juniper_ctp_cli=1

    Admin

    juniper_ctp_cli=2

    Privileged_admin

    juniper_ctp_cli=3

    Auditor

    juniper_ctp_cli=4

    On the TACAS+ server, you can also modify these files:

  • Clients.xml—Modify this file to add the secret key and the domains that can use the TACACS+ server.

  • Tacplus.xml—Modify this file to add the remote port number and the IPV4 or IPv6 addresses assigned to the TACACS+ server.

    content_copy zoom_out_map
    <Port>49</Port>
    <LocalIP>Write your TACACS+ machine’s IP here</LocalIP>

    Modify the parameters specified in Table 4 if required.

    Table 4: Attributes for Configuring Tacplus.xml File

    Parameter

    Function

    Port

    The default port number is 49.

    LocalIP

    Specify the IP address of the TACACS+ server. You can enter an IPV4 or IPV6 address.

    Before you enter an IPv6 address, ensure that both the TACACS+ server and CTPView server or the CTP device supports IPV6.

external-footer-nav