Alcatel Unleashed

The #1 Worldwide board for technical support on Alcatel-Lucent Voice & Data gear.
https://alcatelunleashed.com/

Question about RADIUS versus TACACS

https://alcatelunleashed.com/viewtopic.php?t=26164

Page 1 of 1

Question about RADIUS versus TACACS

Posted: 25 May 2016 14:50
by emailsbecker
My current employer is implementing RADIUS and has mentioned how we have to configure profiles on each device that will establish what commands each profile will have access to, like this:

Code: Select all

  profile "ghost"
    default-action permit-all
    entry 1
      match "configure"
      action permit
    exit
    entry 2
      match "show"
      exit
    entry 3
      match "exit"
    exit
  exit
At my previous employer we used TACACS and I know we did not have to configure profiles. My hunch is there's something about the way TACACS and RADIUS work that makes it so that if you use TACACS you don't have to configure the profile locally. The down side of that is that every simgle command you type is sent to the TACACS server for approval, which can be very very slow if there are connectivity issues. The documentation I've found seems to imply that (because it only includes configuring profiles under the RADIUS section but not under the TACACS section) but does not specifically state it. Has anyone configured both and can confirm this? It would save me the trouble of labbing it up. I can ask my Alcatel rep the next time we have a conference call too, but that won't be for another week or two.

I've also seen in this document that you can configure profiles in your RADIUS dictionary like so:

Code: Select all

users.timetra
ruser1 Auth-Type := System, Password == "ruser1"
Service-Type = Login-User,
Idle-Timeout = 600,
Timetra-Access = console,
Timetra-Home-Directory = cf3:
Timetra-Restrict-To-Home = true
Timetra-Default-Action = permit-all,
Timetra-Cmd = "tools;telnet;configure system security",
Timetra-Action = deny
... however my boss said if you do this then you have to configure ALL users in the RADIUS dictionary, and the RADIUS server will only authenticate against the dictionary and will not authenticate against the Domain Controller. Has anyone managed to configure RADIUS to do both? Configure a user profile but still authenticate against the DC?

Re: Question about RADIUS versus TACACS

Posted: 27 May 2016 05:53
by mivens
The TACACS authorisation functionality was improved in Release 12 - you probably want to take a look at a newer version of the System Management Guide than Release 8.

You can either use a single common local profile, send each command to the TACACS+ server for authorisation, or configure local profiles and map tacplus priv-lvl based authorisation to those profiles.

From the Release Notes:

"Release 12.0.R1 allows the operator to configure local profiles and then map TACACS+ priv- lvl-based authorization to those profiles (instead of authorizing via the TACACS+ server command by command). This new behavior is configured using the “use-priv-lvl” option for TACACS+ authorization. Interaction with “enable-admin” using the new “tacplus-map-to-priv- lvl” command is also supported."
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited