TACACS+ Migration
Terminal Access Controller Access Control System (TACACS) is a security protocol that provides centralized validation of users who are attempting to gain access to a router or Network Access Device (NAS). TACACS+, a more recent version of the original TACACS protocol, provides separate authentication, authorization, and accounting (AAA) services.
The TACACS+ protocol provides detailed accounting information and flexible administrative control over the authentication, authorization, and accounting process. The protocol allows a TACACS+ client to request detailed access control and allows the TACACS + process to respond to each component of that request. TACACS+ uses Transmission Control Protocol (TCP) for its transport.
TACACS+ provides security by encrypting all traffic between the NAD and the process. Encryption relies on a secret key that is known to both the client and the TACACS+ process.
This feature is to import SBR TACACS+ configuration data to PPS so that Network Access Devices (routers and switches) with TACACS+ client can connect (migrate) to PPS for TACACS+ AAA services. The procedure is to get the SBR TACACS+ configuration file and then import it into PPS. The default configurations are created in PPS to make it compatible with TACACS+ server.
The sample text configuration file used for import is captured below.
SBR TACACS+ config file
TACACS+ configurations are stored in a text configuration file available at:
/opt/PSsbr/radius/tac_plusd.cfg
Importing SBR TACACS+ config file to PPS
1.Select Maintenance > Import/Export > XML Import/Export > Import SBR Configuration.
2.Under Import SBR TACACS plus config, click Browse and browse the SBR TACACS+ configuration file which needs to be imported.
3.Click Import.
You cannot import multiple TACACS+ cfg files simultaneously. The Admin must wait for the TACACS+.cfg file import to get completed to import another cfg file.
Authentication Server
For ease of migration TacacsPlusMigrationAuthServer is created by default.
Any secondary LDAP/AD servers configured in SBR tac_plusd.cfg file are not migrated and admin should configure them manually in PPS.
Users
Navigate to Auth Servers > TacacsPlusMigrationAuthServer > Users to view the users successfully migrated from SBR to PPS.
If the user has encrypted password in SBR. It will be migrated with the default password as pulsesecure.
Roles
TACACS roles are imported from SBR. The roles imported are prefixed with TacacsPlusMigration.
Realm
For ease of migration TacacsPlusMigrationRealm is created by default. Navigate to Admin Realms > Administrator Authentication Realms. to view the realm.
Role Mapping
Navigate to Admin Realms > TacacsPlusMigrationRealm > Role Mapping to view the users mapped to the TacacsPlusmigration roles.
Device groups
Navigate to Network Device Administration > Device Group to view the device group policy, which logically groups network devices by associating the devices with specific admin realm TacacsPlusMigrationRealm. The device groups imported from SBR are prefixed with TacacsPlusMigration.
Clients
Host details configured in SBR is migrated to PPS. The clients migrated from SBR will have the prefix TacacsPlusMigration.
Shell policies
Navigate to Endpoint Policy > Network Device Administration > Shell Policies to view the migrated shell policies. The Shell Policies imported from SBR are prefixed with TacacsPlusMigration.
The migration tool migrates only the first 13 custom attributes of the SBR shell policy to PPS and the remaining are not migrated.
The example shell policy shows “TacacsPlusMigration_getconfig” shell policy mapped to the device group “TacacsPlusMigrationworld” and to role “TacacsPlusMigration_getconfig”.
Service type can be configured in TACACS+ shell policy for TACACS+ authorisation. Service type value is different than the default value i.e shell sometimes. You must define correct value as desired by each vendor. For example, for Palo Alto Networks service type is "PaloAlto", for Juniper Networks service type is "junos-exec" and for Cisco Airspace WLC service type is "ciscowlc".
