How to configure TACACS+ Authentication on switches via Omada Controller

Configuration Guide
Updated 08-19-2024 03:34:05 AM 5251
This Article Applies to: 

Contents

Objective

Requirements

Introduction

Configuration

Verification

Conclusion

Objective

This article describes how to implement TACACS+ authentication on the switch via CLI templates on the Omada Controller.

Requirements

  • Omada Smart / L2+ / L3 switches
  • Omada Controller (Software Controller / Hardware Controller / Cloud-Based Controller, V5.9 and above)

Introduction

To enhance network security, we can use TACACS+ to implement access control on switches. For example, when a client connected to a switch needs to access the switch via the SSH protocol, it must first pass the authentication process. In the following network topology, TACACS+ can be configured on the Omada Controller via CLI templates to ensure that only authenticated users can access the switch.

Configuration

Step 1. Install the TACACS+ Server in Ubuntu 20.04 (or above) via the following steps:

1. Download the latest source file of the TACACS+ Server at ftp://ftp.shrubbery.net/pub/tac_plus.

2. Unzip the source file: tar -zxvf tacacs-F4.0.4.28.tar.gz

3. Access the unzipped files: cd /path/to/tacacs-F4.0.4.28

4. Enter ./configure. If an error message is displayed, execute the command sudo apt-get install libwrap0-dev flex bison.

5. Execute sudo make install.

6. Add an include path: sudo vi /etc/ld.so.conf. After modification, save the settings and exit. Go to the terminal to execute sudo ldconfig.

Step 2. Configure the TACACS+ Server.

1. Use the command sudo mkdir /etc/tacacs+ to create a new folder.

2. Create a config file tac_plus.conf in the path /etc/tacacs+: touch tac_plus.conf

3. Modify the config file tac_plus.conf: sudo vi /etc/tacacs+/tac_plus.conf

You can copy the following command lines to the config file tac_plus.conf as an attempt.

#Make this a strong key

key = tplink_123

# Using local PAM which allows us to use local Linux users

default authentication = file /etc/passwd

#Define groups that we shall add users to later

group = test1 {

default service = permit

service = exec {

priv-lvl = 15

}

}

group = test2 {

default service = deny

service = exec {

priv-lvl = 1

}

}

group = test3 {

default service = permit

login = file /etc/passwd

service = exec {

priv-lvl = 2

}

}

#Defining my users and assigning them to groups above

user = manager {

member = test1

}

user = user1 {

member = test2

}

user = user2 {

member = test3

}

Save and exit the edited file of tac_plus.conf, create relevant users and set passwords on Linux system.

Priv-lvl has 15 levels and four different management permissions on the switch:

1~4: User permission. Users can only view, but not edit or modify the settings. L3 features cannot be viewed.

5~9: Super user permission. Super users can view, edit, and modify some functions, such as VLAN, HTTPS config, Ping, etc.

10~14: Operator permission. On the basis of super user permission, operators can also configure LAG, MAC address, access control, SSH config and other settings.

15: Administrator privilege. Administrator can view, edit, and modify all functions.

Note: Switches that have been adopted by the Omada Controller cannot be configured via CLI.

Step 3. Restart the TACACS+ Server and add users. Every time after modify the tac_plus.conf file, you need to restart the TACACS+ Server. Use the command sudo tac_plus -C /etc/tacacs+/tac_plus.conf to restart and the command adduser to add users and set passwords in the Linux system.

adduser manager

adduser user1

adduser user2

Note: Here “manager”, “user1”, and “user2” correspond respectively to the users configured in the tac_plus.conf file. Similarly, to add new users, you need to add them in the tac_plus.conf file and restart the TACACS+ Server.

Step 4. Set the CLI templates on the Omada Controller. Go to Settings >CLI Configuration >Device CLI and click Create New Device CLI Profile.

Specify the name and enter the following CLI commands. The CLI commands here is used to assign the IP address, port, and sharing secret to the TACACS+ Server and to implement TACACS+ authentication when the switch is accessed via the SSH protocol.

tacacs-server host 192.168.0.30 port 49 timeout 5 key 0 tplink_123

aaa authentication login test tacacs

line ssh

login authentication test

Select the target switch in the pop-up window of Choose Device and click Confirm. Then click Save to save the settings.

Verification

Go to Settings > Services > SSH to enable SSH Login and click Apply.

When using PuTTY to access the switch via SSH, username and password set in the TACACS+ Server are required for login.

Conclusion

You have successfully configured the TACACS+ Server to control client access to the switch.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Is this faq useful?

Your feedback helps improve this site.

Community

TP-Link Community

Still need help? Search for answers, ask questions, and get help from TP-Link experts and other users around the world.

Visit the Community >

From United States?

Get products, events and services for your region.