Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Advisor

TACACS+ Configuration on MDM/SMS

Hello guys,

I have a few questions regarding TACACS+ authentication on MDM and SMS appliances. As far as I know you can configure TACACS servers via the web UI and clish for GAiA itself and also via the related SmartConsole objects (Objects => New => More => Server => More => TACACS) when it comes to SmartConsole access. As far as I understand these are three different configuration approaches for 2 different config goals. This means, that the GAiA (clish + web UI) config is absolutely not related to the SmartConsole TACACS+ authentication.

In detail; you need to specify the same server twice if you want to use it for GAiA access and SmartConsole access.

Is my assumption correct? Or can the GAiA TACACS config get replicated to the actual "management product configuration" of the SMS/MDM?

And one final question; is there any way to test a TACACS configuration on a gateway or MDM/SMS? I mean sure, you can just try to log in. But especially if you have configured more than one server and want to test the secondary one a command to test the related config and connection would be great. (The only way to test TACACS auth. for a secondary server I currently know is to disable the connection to the primary one, which is not really a decent solution.)

Regards,

Maik

6 Replies
Highlighted
Advisor

*push*

Highlighted
Advisor

*push*

 

One last attempt - if that does not help I can accept that this thread is dead 😛

Highlighted
Leader
Leader

sk101573
sk69703

need more details mate ?
Jerry
0 Kudos
Highlighted
Leader
Leader

Highlighted
Advisor

Hey Jerry,

 

Thanks for your reply.

I have already read both SKs and I am familiar with the general tacacs config within GAiA. 🙂

My questions were;

- is it possible to configure tacacs on the GAiA level on a SMS/MDM and adapt this config for the SmartConsole access later?

- are there any commands to verify a tacacs config - especially related to scenarios where you have a secondary tacacs server that won't be used unless the first one fails. [The only way I know to verify if everything works is by logging in with a tacacs user - to verify the secondary tacacs you need to disable any connection to the primary one.]

Highlighted
Leader
Leader

alright, so here is the thing based on my experience:

1. tacacs for shell/gaia/clish is one thing, tacacs for Management (SC) is another, bear that in mind please
2. failover with ACS is another story and I believe it has nothing to do with Gaia (you need 2 acs servers configured for redundancy of AAA do you?)
3. gaia and other systems like that will always see AAA server as one but pool both so you should be comfortable having them both configured and both "pool' able" however, as far as I know the resource used for AAA will remain one-at-the-time for users.

try experimenting and first see if both "allowed" ACS servers talk to the GAIA itself and SMS at the same time (fw monitor?) and see if the tokens are issued correctly (logs?). then try to differenciate users between shell (gaia) and SmartConsole (Management/OPSEC) setup.

let me know how it goes, I do have similar setup with RADIUS with one of my clients but it shouldn't be that different really ...
Jerry
0 Kudos