TACACS+ Authentication Manager Help >> Get Started

Get Started

Identity authentication is adopted for access control on the network. The implementation requires collaboration between TAM and the device.
This example describes the configuration procedure for device users with Telnet login.

Configure TAM

1. Add a device to TAM.
2. Add an authorization policy in TAM.
3. Add a device user in TAM, and subscribe to the authorization policy configured in step 2 for the device user or device user group.
4. Configure the TACACS scheme, domain, and authentication mode on the device.
   • TACACS scheme: Configure the authentication/accounting server as TAM.
   • Domain: Configure a domain with a reference to the TACACS scheme.
5. On the terminal PC, Telnet to the device. Initiate authentication using the username of the device user that has been added to TAM.
   With the previous configuration, the user can manage the device after passing authentication. The following describes the purpose and the key configuration of each step.

Add a device to TAM

• Purpose
  Make TAM trust the device. Only devices added to TAM can exchange TACACS packets with TAM.
  
• To start the configuration
  Click the User tab, and then select Device User Policy > Device Management from the navigation tree.
  
• Key parameters
  • Authentication Shared Key/Accounting Shared Key: Make sure that they are the same as those in the TACACS scheme configured on the device.
  • Device Area and Device Type: Specify the area and type to which the device belongs.
  • Single Connection and Watchdog: Select Supported or Not Supported according to whether or not the device supports these two options.
  • Add Device: No matter whether you select a device or manually add a device, the IP address of the device must be the IP address that the device uses to exchange packets with TAM. The IP address can be configured by using the nas ip command in the TACACS scheme.

Add an authorization policy in TAM

• Purpose
  An authorization policy defines privileges assigned to device users in different scenarios, including device area, device type, and authorized time range. Authorization rules include shell profiles and command sets.
  
• To start the configuration
  Click the User tab, and then select Device User Policy > Authorization Policies from the navigation tree.
  
• Key parameters
  • Default authorization rule: The system predefines a default authorization rule. The rule denies login requests and prohibits execution of any commands when the device area, device type, and authorized time range are not limited. The operator can modify the shell profile and command set in the default authorization rule. The priority of the authorization rule is always the lowest.
  • Change priority: An authorization rule includes the shell profile and command set to be authorized to matching users. You can configure multiple authorization rules for the same authorization policy. If a user matches multiple authorization rules in an authorization scenario, TAM applies the authorization rule with the highest priority.

Add a device user to TAM

• Purpose
  A device user is an account for identity authentication.
  
• To start the configuration
  Click the User tab, and then select Device User > All Device Users from the navigation tree, and click Add.
  
• Key parameters
  • Device User Group: Device user group to which a device user belongs. TAM can assign the specified authorization policy to a device user group, and the device users automatically inherit the authorization policy of the device user group after added to the group.
  • User Authorization Policy: Optional. A user authorization policy takes precedence over user group authorization policy.
  • Enable Privilege-Increase Password: Enable privilege raising and configure a privilege raising password for the device user with password validity. To obtain the highest privilege, the device user must execute the privilege raising command and correct password.

Configure the TACACS scheme, domain, and authentication mode on the device

• Purpose
  Configure TACACS for interaction between the device and TACACS server.
  
• To start the configuration
  Log in to the CLI of the device through the console port or Telnet.
  

Manage the device at the CLI on the PC

At the CLI, telnet to the device from the PC by using a device user account. After passing authentication, you can manage the device by using the authorized commands.
If the username configured on the device has a domain name, the username is in the format of account name@domain name. Otherwise, the username is the account name.

Scenario-Based Authorization Policy

You can specify multiple authorization rules for an authorization policy. Each authorization rule corresponds to one scenario. TAM authorizes the device users different privileges after the device users pass the authentication in different scenarios. The scenarios include device area, device type, and authorized time range. Authorization rules include shell profiles and command sets.

Device Area Management

• Purpose
  The operator creates device areas as needed and specify the area to which a device belongs when adding the device. When the operator adds an authorization rule, the operator can specify the shell profile and command set used by devices in an area.
  
• To start the configuration
  Click the User tab, and then select Device User Policy > Authorization Conditions > Device Areas from the navigation tree.
  

Device Type Management

• Purpose
  Devices of different types support different command sets. An authorization rule assign devices of the same type the same shell profile and command set. The operator can categorize devices as needed, and specify the type of a device when adding the device.
  
• To start the configuration
  Click the User tab, and then select Device User Policy > Authorization Conditions > Device Types from the navigation tree.

Authorized Time Range Policy Management

• Purpose
  You can assign different management rights to a device user when the user logs in to the device in different time ranges. For example, you can configure the user to manage a device at office hours, and the user can only monitor the device at other hours.
  
• To start the configuration
  Click the User tab, and then select Device User Policy > Authorization Conditions > Time Ranges from the navigation tree.
  
• Key parameters
  Effective Time/Expiration Time: Effective time range of the authorized time range policy.
  Authorized Time Range Policy Information: Time range where a user can manage a device. The time that a device user can manage a device must be within both the authorized time range and the effective and expiration time of the authorized time range.
  

Shell Profile Configuration

• Purpose
  The shell profile assigned to a device user when the device user logs in to the device, including the ACL, autorun commands, and privilege level.
  
• To start the configuration
  Click the User tab, and then select Device User Policy > Authorization Command > Shell Profiles from the navigation tree.

Command Set Configuration

• Purpose
  Command sets that can be executed by a device user.
  
• To start the configuration
  Click the User tab, and then select Device User Policy > Authorization Command > Command Sets from the navigation tree.

User-Based Authorization Policy

In TAM, a group of similar device users can be assigned the same authorization policy to obtain the same set of authorization attributes. For example, if administrators of a company can manage all devices located in different regions, you can assign the administrators the authorization policy that includes the most management privileges among all authorization policies.

Related Topics

• Device User
• Authorization Policy Management
• Device Area Management
• Device Type Management
• Authorized Time Range Policy Management
• Shell Profile Configuration
• Command Set Configuration
• Device Management