Having configured EXOS authentication using the TACACS+ daemon successfully, in a previous blog entry, it should be a easy to add the authorization.

TACACS+ authentication

Once authentication is enabled on the EXOS router, configuration lines:

configure tacacs primary server 192.0.2.1 4949 client-ip 10.100.100.103 vr VR-Default
configure tacacs primary shared-secret 123-my_tacacs_key
configure tacacs fallback local
enable tacacs

...Ready. EXOS AAA authentication finished.

The verification part is explained in the above linked blog entry.

TACACS+ authorization

Authorization is easy configured once authentication works, this is true. But not, if lacking configuration experience on given component.

Configuration issue

Now using this configuration, it would seem logical to configure further like shown:

R103.1 # configure tac?

  tacacs Configure TACACS+ Server   tacacs-accounting Configure TACACS+ Accounting Server

Yea, even tacacs-accounting is shown as configuration option. So where is the authorization part? Using this method there is no way to configure TACACS+ authorization using the menu:

R103.1 # configure tac?

  fallback Fallback authentication option when client IP is not in server's list of clients   primary primary server   priv-lvl Privilege level attribute of authorization request.   secondary secondary server   timeout TACACS+ server timeout

This is a dead end. When verifying the using the show session command, it says it is disabled.

R103.2 # show session

CLI # Login Time User Type Auth Auth Location ================================================================================ 1 Sun Aug 6 14:34:12 2023 admin console local dis serial *4 Sun Aug 6 14:37:10 2023 cisco telnet TACACS+dis 10.100.100.10

So there is something very specific missing, after troubleshooting for some time, I left it this way being convinced this is for sure a appliance bug, and did not invest any time in searching for a solution.

Solution

Using EXOS the enable tacacs-authorization command, adds the function t

R103.5 # enable tacacs-authorization

If configured properly, knowing EXOS CLI menu and basic functionalities, especially the enable command, which enables disabled services. This is easy to spot

R103.8 # enable tacacs?

  tacacs TACACS+ Client   tacacs-accounting TACACS+ Client Accounting   tacacs-authorization TACACS+ Client Cli Authorization

Each of three A's in EXOS, need to be enabled using explicit tacacs command.

Configuration

Once applied the working and resulting configuration will be 5 lines long. Configuration shown enables authentication and authorization using for the TACACS+ protocol.

configure tacacs primary server 192.0.2.1 4949 client-ip 10.100.100.103 vr VR-Default
configure tacacs primary shared-secret 123-my_tacacs_key
configure tacacs fallback local
enable tacacs
enable tacacs-authorization

Verification

The verification using the show session command:

R103.13 # show session

CLI # Login Time User Type Auth Auth Location ================================================================================ 1 Sun Aug 6 14:34:12 2023 admin console local dis serial *7 Sun Aug 6 14:50:26 2023 cisco telnet TACACS+en 10.100.100.10

The router shows that current user cisco is authenticated and authorized. 2 times Auth shown. And the authentication method is displayed TACACS+.

The verification using the show tacacs command is more verbose. This displays all details used or unused in EXOS TACACS+ configuration:

R103.21 # show tacacs

TACACS+ Configuration   Admin Status : enabled Authorization : enabled Authorization priv-lvl : optional Fallback Authentication : local Accounting : disabled   Server Connect Timeout : 3 sec Primary Server : Server name : IP address : 192.0.2.1 Server IP Port: 4949 Client address: 10.100.100.103 (VR-Default) Shared secret : #$cmjHxn07ND1/f7J73lJMxcFgxvj+o4fXayAZhzM9nYLfdco8Sto=   Authentication: Requests : 20 Responses : 20 Password : 20 Passed : 18 Failed : 2   Authorization: Requests : 62 Responses : 62 Passed : 54 Failed : 8   Secondary Server : none   Acct Server Connect Timeout : 3 sec Primary Accounting Server : none Secondary Accounting Server : none

Successfully configured and activated EXOS TACACS+ authorization, and verified using shown commands.

Summary

So this is more granular way configuring global TACACS+ options compared to other routers. The EXOS TACACS+ configuration, specifically and only the authorization part is not intuitive to configure. But once enabled, it works properly. The only option that is not configured is TACACS+ accounting.

I have linked the community forums URL where I have found the solution explained by Frank. Thank you Frank. Looks like there are more users like me, that fall into this very specific AAA EXOS configuration trap.

References