TACACS+ Authentication Manager Help >> Introduction

Introduction

TAM provides authentication, authorization, and auditing for device maintainers, which are known as device users. It can assign device users different privileges, and monitor the login and command execution operations of device users in a large-scaled network, simplifying user privilege assignment and user management. By cooperating with other components in INC, TAM can implement integrated user, resource, and service management.

TAM supports the following services:

• Multiple device categorizing methods: Devices can be categorized based on management domain or device type in a hierarchical structure, facilitating user privilege assignment.
• Flexible, user-defined authorization policies: Multiple rules can be defined for each authorization policy. Each rule can assign device users different Shell Profiles and command sets based on authorization scenarios such as device area, device type, and authorized time range.
• User group management: You can assign users, of the same type, to one user group, simplifying user management. TAM supports assigning authorization policies to user groups and, also, to users. The authorization policy assigned to a user has a higher priority than that assigned to a user group.
• LDAP user authentication: You can authentication users through the LDAP server, or synchronize user information from the LDAP server to TAM for authentication.
• Integrated device user operation monitoring: TAM monitors device users' authentication, authorization, and command execution operations, facilitating tracking and auditing of device users by operators.
• Distributed deployment with the INC platform, and other components, increases system capacity and performance.

Features

The following figure shows a typical TAM network.

TAM network diagram

TAM provides the following features:

• Device user: User and device are the two fundamental elements of INC and the basis of all network services. Device users in TAM are users that log in to devices and manage the devices. Devices in TAM refer to network devices that can be added to INC and managed based on performance, alarm, and topology, or devices that can be directly managed in TAM. Device users of the same type can be grouped, facilitating daily maintenance of the device users by operators. In addition, different user groups can be managed by different operators.
  After you create a device user, and assign authorization policies for the user (or assign authorization policies for the user group to which the user belongs), the user can manage devices. Device user manages users based on TACACS+ authentication, providing user information query, online user management, device user and LDAP server binding, denylist management, and log query functions.
  • Online user management: You can query online users and clear online data.
  • Binding user with LDAP server: Your network may have LDAP-server-based user information systems (for example, a mail server or a Microsoft Active Directory) currently running. To free the users from memorizing a lot of accounts and passwords, and for easy management and maintenance of user information, INC supports binding access users with the LDAP server for integrated authentication. You can configure the parameters for interaction with the LDAP server in the INC, and bind the access users with the LDAP server, so that the INC will pass the passwords typed by the access users for authentication to the LDAP server for verification.
  • Denylist: You can block a user to keep it out of the network temporarily. In addition, a user that fails to type the correct password within certain consecutive tries specified by the threshold is denylist to prevent malicious login attempts.
  • Log management: Each time an access user successfully accesses the network, an access details record is generated, indicating the access start/end time, offline cause, IP/MAC address of the accessing PC, and access device. Each time an access user fails the authentication, an authentication failure log is generated, indicating the failure cause, authentication time, and IP/MAC address of the accessing PC. Access details and authentication failure logs allow you to trace the online behaviors of the access users, and to locate the sources of faults.

  For more information, see Device User
  

• Device User Policy: TAM allows you to configure service parameters, device areas, device types, devices, authorized time ranges, authorization policies, and LDAP services.
  • Service parameters: Global parameters to run TAM.
• Device area: Devices can be categorized based on geographical location and network layer in a tree structure. The operator can assign a device to different areas, and use the authorization policy to assign different shell profile configurations and command sets to different device areas.
• Device type: Devices can be categorized based on device vendor, level, version, and model in a tree structure. One device can belong to only one device type. Command lines provided by different vendors or devices of different types may be different. The operator needs to assign different shell profile configurations and command sets to devices of different types.
• Device list: TAM uses TACACS+ to communicate with the device to implement authentication, authorization, and accounting of device users. You need to configure parameters needed for TAM to communicate with the device, such as device IP address, listening port, shared key, whether or not to use single connection, and Watchdog packets.
• Time ranges: To restrict device user's access to a specified time range, or restrict command lines that device users can execute in a specified time range, you can specify different shell profiles and command sets in an authorization policy. TAM supports yearly, monthly, weekly, and daily authorized time ranges.
• Shell profiles: Profiles specified for authorizing device users, including ACL, auto run, privilege level, idle time, and session lifetime. You can configure different shell profiles for different authorization scenarios (device area+device type+authorized time range).
• Command sets: Configure multiple commands that can or cannot be executed in one command set, based on priority. Different command sets can be configured for different authorization scenarios (device area+device type+authorized time range).
• Authorization policies: Multiple rules can be defined for each authorization policy. Each rule can assign device users different shell profiles and command sets based on authorization scenarios such as device area, type, and authorized time range. After you assign an authorization policy to a device user (or device user group), TAM authorizes the user corresponding shell profile and command set when the device user logs in to the device.
• LDAP service management: If an LDAP server is available in the network, you can synchronize LDAP users to TAM.

For more information, see Device User Policy.

Operation Guide

To get a quick look at authentication management, see Operation Guide.

Configuration Examples

To look at typical application environments and detailed operation procedure, see Configuration Examples.