TACACS+ Migration

Terminal Access Controller Access Control System (TACACS) is a security protocol that provides centralized validation of users who are attempting to gain access to a router or Network Access Device (NAS). TACACS+, a more recent version of the original TACACS protocol, provides separate authentication, authorization, and accounting (AAA) services.

The TACACS+ protocol provides detailed accounting information and flexible administrative control over the authentication, authorization, and accounting process. The protocol allows a TACACS+ client to request detailed access control and allows the TACACS + process to respond to each component of that request. TACACS+ uses Transmission Control Protocol (TCP) for its transport.

TACACS+ provides security by encrypting all traffic between the NAD and the process. Encryption relies on a secret key that is known to both the client and the TACACS+ process.

This feature is to import SBR TACACS+ configuration data to Ivanti Policy Secure so that Network Access Devices (routers and switches) with TACACS+ client can connect (migrate) to Ivanti Policy Secure for TACACS+ AAA services. The procedure is to get the SBR TACACS+ configuration file and then import it into Ivanti Policy Secure. The default configurations are created in Ivanti Policy Secure to make it compatible with TACACS+ server.

The sample text configuration file used for import is captured below.

A screenshot of a cell phone

Description automatically generated

SBR TACACS+ config file

TACACS+ configurations are stored in a text configuration file available at:

/opt/PSsbr/radius/tac_plusd.cfg

Importing SBR TACACS+ config file to Ivanti Policy Secure

  1. Select Maintenance > Import/Export > XML Import/Export > Import SBR Configuration.

  2. Under Import SBR TACACS plus config, click Browse and browse the SBR TACACS+ configuration file which needs to be imported.

  3. Click Import.

    A screenshot of a social media post

Description automatically generated

You cannot import multiple TACACS+ cfg files simultaneously. The Admin must wait for the TACACS+.cfg file import to get completed to import another cfg file.

Authentication Server

For ease of migration TacacsPlusMigrationAuthServer is created by default.

A screenshot of a cell phone

Description automatically generated

Any secondary LDAP/AD servers configured in SBR tac_plusd.cfg file are not migrated and admin should configure them manually in Ivanti Policy Secure.

Users

Navigate to Auth Servers > TacacsPlusMigrationAuthServer > Users to view the users successfully migrated from SBR to Ivanti Policy Secure.

If the user has encrypted password in SBR. It will be migrated with the default password as pulsesecure.

A screenshot of a cell phone

Description automatically generated

Roles

TACACS roles are imported from SBR. The roles imported are prefixed with TacacsPlusMigration.

A screenshot of a cell phone

Description automatically generated

Realm

For ease of migration TacacsPlusMigrationRealm is created by default. Navigate to Admin Realms > Administrator Authentication Realms. to view the realm.

A screenshot of a cell phone

Description automatically generated

Role Mapping

Navigate to Admin Realms > TacacsPlusMigrationRealm > Role Mapping to view the users mapped to the TacacsPlusmigration roles.

A screenshot of a cell phone

Description automatically generated

Device groups

Navigate to Network Device Administration > Device Group to view the device group policy, which logically groups network devices by associating the devices with specific admin realm TacacsPlusMigrationRealm. The device groups imported from SBR are prefixed with TacacsPlusMigration.

A screenshot of a social media post

Description automatically generated

A picture containing screenshot

Description automatically generated

Clients

Host details configured in SBR is migrated to Ivanti Policy Secure. The clients migrated from SBR will have the prefix TacacsPlusMigration.

A screenshot of a social media post

Description automatically generated

A screenshot of a cell phone

Description automatically generated

Shell policies

Navigate to Endpoint Policy > Network Device Administration > Shell Policies to view the migrated shell policies. The Shell Policies imported from SBR are prefixed with TacacsPlusMigration.

The migration tool migrates only the first 13 custom attributes of the SBR shell policy to Ivanti Policy Secure and the remaining are not migrated.

A screenshot of a computer

Description automatically generated

The example shell policy shows “TacacsPlusMigration_getconfig” shell policy mapped to the device group “TacacsPlusMigrationworld” and to role “TacacsPlusMigration_getconfig”.

Service type can be configured in TACACS+ shell policy for TACACS+ authorisation. Service type value is different than the default value i.e shell sometimes. You must define correct value as desired by each vendor. For example, for Palo Alto Networks service type is "PaloAlto", for Juniper Networks service type is "junos-exec" and for Cisco Airspace WLC service type is "ciscowlc".

A screenshot of a computer

Description automatically generated