Integrating open source TACACS+ with cnMaestro

cnMaestro On-Premises TACACS+ Configuration

Overview

 This document presents basic configuration for cnMaestro TACACS+ using the Ubuntu TACACS+ Server.

Installation

 The Ubuntu TACACS+ server can be installed in the following way.

 Step 1: Add package dependencies

apt-get update && apt-get install -y gcc make flex bison libwrap0-dev

Step 2: Install server

apt-get install tacacs+

 Configuration

 The steps below configure cnMaestro for administration account authentication using TACACS+ as the primary authenticator (the local user database will become secondary).

Step 1: Edit TACACS+ Configuration File

  1. Navigate to TACACS+ folder (/etc/tacacs+/) and edit the conf configuration file as root (using sudo).
  2. Set the accounting file and key. The Shared Secret in the cnMaestro configuration window must match the key configured here (in the example below, they are both “cnMaestro”).

Step 2: Create TACACS+ Users

 Multiple users can be added to the TACACS+ configuration file in the following fashion.

user = user1 {

        global = cleartext "Cambium@123"

        service = cnmaestro {

               addr = 10.110.209.10

               role = super_admin_role

       }

}

The service name is leveraged in cnMaestro to define the subset of users allowed TACACS+ login. The role should be mapped to a specific cnMaestro User Role in the UI (Super Administrator, Administrator, Operator, Monitor). An example configuration is below:

Note the following:

  1. addr is the IP address on cnMaestro On-Premises server and is optional.
  2. The user and cleartext fields are used as Login credentials.

 Step 3: Configure cnMaestro

 Navigate to Application > Users > Authentication Servers in the cnMaestro On-Premises UI to create the TACACS+ Server

  1. Make sure the service field value is the same in the cnMaestro configuration page.
  2. The role field must be configured according to role-mappings in cnMaestro configuration authentication configuration page.

Navigate to Application > Users > Authentication and set the Primary Authentication to be the TACACS+ server just created. The Secondary Authentication will be automatically set to Local Users, which means if the TACACS+ server is not reachable, the UI can be accessed using the Local Users database (so it is important to change the default password). If you are unable to log into the UI, you can create a One-Time password in the CLI in order to resolve the issue. (see the User Guide for details on Application Account Recovery).

Step 4: Restart (or start) the TACACS+ Server

After configuration, restart the TACACS+ service using following command.

sudo service tacacs_plus restart

Step 5: Log into cnMaestro

 In a separate browser, log into cnMaestro using the new username and password.

9 Likes