Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

User authentication support in TACACS+ requires each user account to be defined in NetMRI with their defined User ID matching their declared value on the TACACS+ server.

For authorization settings, the T+ configuration file contains the group definitions and the relationships of each user account to those groups.

Configuring the TACACS+ Service requires knowledge of the following key values:

  • The na-group-info group attribute value defined for NetMRI in the TACACS+ configuration.

  • The IP address of the TACACS+ server.

  • The shared secret for authenticating the NetMRI appliance on the TACACS+ server.

  • The port number. Normally, you will retain the default value 49.

  • The names of the remote groups on the LDAP server containing the users intended to log in to the NetMRI appliance.

On NetMRI, for the TACACS+ authentication service, you define remote groups with the same names (test_admin_group, for example – the group names could be any preferred text string), and the roles these users can have in the specified device groups. When the TACACS+ server responds to an authentication and authorization request relayed from NetMRI, the response includes the group name. If NetMRI does not find a matching remote group in the authentication service, it will not allow the user to log in and will try the following service in its authentication services list.

To configure a TACACS+ authentication service for NetMRI, complete the following:

  1. Ensure that all user accounts are defined with their necessary roles in NetMRI.

  2. Go to the Settings icon > General Settings section > Authentication Services page.

  3. Enter the Name and Description.

  4. Set the Priority and Timeout values.

  5. Choose TACACS+ as the Service Type. The Service Specific Information panel updates to show the required TACACS+ settings.

  6. Enter the Service Name and Group Attribute.

  7. Test NetMRI user account settings by entering the User Name and Password and clicking Test. A successful test returns the list of user roles defined in NetMRI for the test user.
    If the authentication server or its shared secret is incorrect, the message "Unable to get access information" will appear.
    If the test user name or password is incorrect, access is rejected. Access will also be rejected if no NetMRI Role is defined for the test user, on the NetMRI system.

  8. You can select to use TACACS+ only for authentication. In such cases, select the Disable authorization checkbox. If you wish to disable the current service select the Disable service checkbox.

To configure the authentication service's TACACS+ servers, complete the following:

  1. Click the Servers tab.

    1. Click Add to add TACACS+ servers to the service. The Add Authentication Server dialog opens.

    2. Enter the Host/IP Address.

    3. Choose the Shared Secret for the server.

    4. Choose the Priority for the new server in the authentication service. In this context, the priority value determines the order in which servers in the service are queried by NetMRI. A lower value number denotes a higher priority. "1" is the highest possible priority. Only one server should have a "1" priority.

    5. If necessary, enter the Port value. The TACACS+ default application port is 49.

    6. Click Save to save your configuration.

    7. Click Cancel to close the dialog.

To assign the TACACS+ service's remote groups with NetMRI's local roles, complete the following:

  1. Click the Remote Groups tab.

    1. In the Remote Group field, enter the name of a new remote group for the authentication service. In these steps, you are mapping this group name to the NetMRI Role(s) and device group(s).

    2. Choose the Role for the new remote group. For more information, see Defining and Editing Roles.

    3. Select the checkboxes for the device groups you want to allow for the remote group. Note that the SysAdmin role applies to all device groups. Other roles allow the selection of individual device groups.

    4. Click OK to complete the configuration.

    5. When finished with the remote group configuration, click Save and then Close. Note that you can add multiple Roles for the remote group.

  2. Click Test to test the server settings. Enter a valid username and password. A successful test returns the list of groups to which the test user belongs.

Subsequent login attempts are authenticated using the defined authentication servers, except for the admin user account.

  • No labels