Configuring TACACS+ authentication
NetIM supports integration with TACACS+ servers for authentication and authorization (AAA).
To enable TACACS+ integration, you must log in to NetIM core VM as netimadmin and use the CLI as follows:
• Stop Services by entering the following command:
./app.sh -c stop ALL
• Enable TACACS+ integration by entering the following command:
./app.sh /TACACS_STATE enabled
• Start Services by entering the following command:
./app.sh -c start ALL
After enabling TACACS+ integration, choose Configure > All Settings > Integrate > TACACS+ to access the TACACS+ Configurations page.
Before setting up TACACS+ authentication and/or authorization, ensure that you have the following required TACACS+ configuration data from your TACACS+ administrator:
• Hostname
• Shared Secret Port
• Timeout
• Authentication Type: ASCII, PAP, CHAP, MSCHAP, ARAP
You and TACACS+ administrator must decide whether you want TACACS+ to provide just user authentication or both user authentication and user authorization. If you choose just user authentication, you can set a default NetIM role for all TACACS+ users in the NetIM TACACS+ configuration page.
You can also assign a specific role to any user in the NetIM User Management page (Configure > All Settings > Administer > User Management). For more information, see
Tracking user logins.
Specific user roles set in the User Management page takes priority over any default roles or roles provided by TACACS+.
If you want TACACS+ to provide authorization as well as authentication, select the check box for “Require Authorization” and provide the authorization attributes and role attributes.
The following settings demonstrate one way of configuring authorization on the NetIM TACACS+ authorization-screen:
• Name = Service
• Value = Shell
• Required = Yes
• Role Attribute = NetIM-role
On the TACACS+ server, you must define the roles as shown. (The roles should be in all capital letters as shown.)
• NetIM-role=ADMIN
• NetIM-role=PRIVILEGED
• NetIM-role=USER
• NetIM-role=RESTRICTED
In the preceding example, the name used for role attribute is NetIM-role. However, the role attribute can be named anything you want. It does not need to be called NetIM-role. The only requirement is that the role attribute entered in NetIM must match the name on the TACACS+ server.
After enabling and configuring TACACS+ integration, the NetIM login screen presents an option to use TACACS.
Any errors encountered are displayed in the login screen. If you successfully log in using TACACS+, you can click the username in the upper-right side. and view your user profile.
If you have admin rights, then you can go to the NetIM User Management page (Configure > All Settings > Administer > User Management) and view the Active User Sessions.
There are numerous vendors of TACACS+ servers with many different deployment options, so your TACACS+ configuration may be unique to your enterprise and require different Authorization Attributes and Role Attribute settings. You should work with your TACACS+ administrator to design an integration that works for both ends of the integration.
TACACS+ integration may require some debugging on both ends, including Wireshark packet captures. To turn on debugging in NetIM, go to the Core Server Management page and turn the Debug State of the NetIM Web Service to On.
To view debug output, look in the Catalina.out log file in: <install_dir>/webServer/jakarta-tomcat/logs on NetIM core.
Alternatively, you can turn on debug in the <install-dir>/webServer/jakarta-tomcat/webapps/vnes/WEB-INF/classes/logback.xml file and restart the web service.
1. Log in to NetIM core as netimadmin.
2. Change your working directory to <install-dir>/webServer/jakarta-tomcat/webapps/vnes/WEB-INF/classes
3. Open the logback.xml file for editing.
4. To turn on debugging, change:
<!-- SLF4J logging to vnes_webapp. -->
<root level="info">
to:
<!-- SLF4J logging to vnes_webapp. -->
<root level="debug">
5. To restart the Web Service, enter the following command from the netimsh shell:
start WS