Having configured EXOS authentication using the TACACS+ daemon successfully, in a previous blog entry, it should be a easy to add the authorization.
TACACS+ authentication
Once authentication is enabled on the EXOS router, configuration lines:
configure tacacs primary server 192.0.2.1 4949 client-ip 10.100.100.103 vr VR-Default
configure tacacs primary shared-secret 123-my_tacacs_key
configure tacacs fallback local
enable tacacs
...Ready. EXOS AAA authentication finished.
The verification part is explained in the above linked blog entry.
TACACS+ authorization
Authorization is easy configured once authentication works, this is true. But not, if lacking configuration experience on given component.
Configuration issue
Now using this configuration, it would seem logical to configure further like shown:
tacacs Configure TACACS+ Server tacacs-accounting Configure TACACS+ Accounting Server
Yea, even tacacs-accounting
is shown as configuration option. So where is the authorization part? Using this method there is no way to configure TACACS+ authorization using the menu:
fallback Fallback authentication option when client IP is not in server's list of clients primary primary server priv-lvl Privilege level attribute of authorization request. secondary secondary server timeout TACACS+ server timeout
This is a dead end. When verifying the using the show session
command, it says it is disabled.
CLI # Login Time User Type Auth Auth Location ================================================================================ 1 Sun Aug 6 14:34:12 2023 admin console local dis serial *4 Sun Aug 6 14:37:10 2023 cisco telnet TACACS+dis 10.100.100.10
So there is something very specific missing, after troubleshooting for some time, I left it this way being convinced this is for sure a appliance bug, and did not invest any time in searching for a solution.
Solution
Using EXOS the enable tacacs-authorization
command, adds the function t
If configured properly, knowing EXOS CLI menu and basic functionalities, especially the enable
command, which enables disabled services. This is easy to spot
tacacs TACACS+ Client tacacs-accounting TACACS+ Client Accounting tacacs-authorization TACACS+ Client Cli Authorization
Each of three A
's in EXOS, need to be enabled using explicit tacacs command.
Configuration
Once applied the working and resulting configuration will be 5 lines long. Configuration shown enables authentication and authorization using for the TACACS+ protocol.
configure tacacs primary server 192.0.2.1 4949 client-ip 10.100.100.103 vr VR-Default
configure tacacs primary shared-secret 123-my_tacacs_key
configure tacacs fallback local
enable tacacs
enable tacacs-authorization
Verification
The verification using the show session
command:
CLI # Login Time User Type Auth Auth Location ================================================================================ 1 Sun Aug 6 14:34:12 2023 admin console local dis serial *7 Sun Aug 6 14:50:26 2023 cisco telnet TACACS+en 10.100.100.10
The router shows that current user cisco is authenticated and authorized. 2 times Auth shown. And the authentication method is displayed TACACS+.
The verification using the show tacacs
command is more verbose. This displays all details used or unused in EXOS TACACS+ configuration:
TACACS+ Configuration Admin Status : enabled Authorization : enabled Authorization priv-lvl : optional Fallback Authentication : local Accounting : disabled Server Connect Timeout : 3 sec Primary Server : Server name : IP address : 192.0.2.1 Server IP Port: 4949 Client address: 10.100.100.103 (VR-Default) Shared secret : #$cmjHxn07ND1/f7J73lJMxcFgxvj+o4fXayAZhzM9nYLfdco8Sto= Authentication: Requests : 20 Responses : 20 Password : 20 Passed : 18 Failed : 2 Authorization: Requests : 62 Responses : 62 Passed : 54 Failed : 8 Secondary Server : none Acct Server Connect Timeout : 3 sec Primary Accounting Server : none Secondary Accounting Server : none
Successfully configured and activated EXOS TACACS+ authorization, and verified using shown commands.
Summary
So this is more granular way configuring global TACACS+ options compared to other routers. The EXOS TACACS+ configuration, specifically and only the authorization part is not intuitive to configure. But once enabled, it works properly. The only option that is not configured is TACACS+ accounting.
I have linked the community forums URL where I have found the solution explained by Frank. Thank you Frank. Looks like there are more users like me, that fall into this very specific AAA EXOS configuration trap.