Document toolboxDocument toolbox

Authenticating Users Using TACACS+ (T+)

Owned by Viktoryia Varapayeva (Deactivated)
Aug 19, 2022
2 min read

You can configure NetMRI to authenticate admins against TACACS+ (Terminal Access Controller Access-Control System Plus, or T+) servers. TACACS+ provides separate authentication, authorization, and accounting services. NetMRI provides support only for authentication and authorization capabilities. To ensure reliable delivery, T+ uses TCP as its transport protocol, and to ensure confidentiality, all protocol exchanges between the T+ server and its clients are encrypted. In this section, we assume that AAA administrators understand the details of TACACS+ configuration, and present simpler examples in this section.

To support TACACS+ authentication and authorization through NetMRI, you configure a custom service, infoblox, on the T+ server, and then define the user names and group names in the infoblox service's custom attribute na-group. These services and attributes can be named differently according to preference. We use these values by convention in this document.

Ensure that you apply each user group to the custom service infoblox (or however you choose to name the custom service). On NetMRI, you add the remote groups with the same names to the authentication service. When the TACACS+ server responds to an authentication and authorization request relayed from NetMRI and the response includes the na-group custom attribute, NetMRI matches the group name with the group in the authentication service and automatically assigns the admin to that group.

If you use T+ only for authentication, the user accounts must all be defined in NetMRI with the User IDs matching the declared values on the T+ server. These accounts must be locally configured on NetMRI with the roles assigned to their specified device groups.

If you use T+ for both authentication and authorization, and the configurations are done in the T+ server configuration file, the successfully authenticated and authorized users will be dynamically created in NetMRI with the roles defined through the configurations in the Authentication Service configured in NetMRI.