Configuring Gaia as a TACACS+ Client

Gaia acts as a TACACS+ client for Gaia users that are defined on the TACACS+ server and are not defined locally on Gaia.

The admin user must define a role called TACP-0 for the TACACS+ users, and the allowed features for the TACP-0 role.

Important:

  1. All TACACS+ users must log in to Gaia OS with the password assigned to the default role TACP-0.

  2. To get their applicable TACP role in Gaia OS, after this initial login, TACACS+ users must log in for the second time with the password assigned to their applicable TACP role.

The Gaia admin user can define roles that make it possible for Gaia users to get temporarily higher privileges, than their regular privileges.

For example, Gaia user Fred needs to configure the interfaces, but his role does not support interfaces configuration. To configure the interfaces, Fred enters his user name together with a password given him by the admin user. This password lets him change his default role to the role that allows him to configure the interfaces.

There are sixteen different privilege levels (0 - 15) defined in TACACS+.

Each level can be mapped to a different Gaia role.

For example:

  • Privilege level 0 - monitor-only

  • Privilege level 1 - basic network configuration

  • Privilege level 15 - admin user

By default, all non-local TACACS+ Gaia users are assigned the role TACP-0.

The Gaia admin can define for them roles with the name TACP-N that give them different privileges, where N is a privilege level - a number from 1 to 15.

The TACACS+ users can changes their own privileges by moving to another TACP-N role.

To do this, the TACACS+ users need to get a password from the Gaia admin user.

Step

Instructions

1

Connect to Gaia OS as the admin user.

2

Define the role TACP-0.

3

Define the features for the role.

For instructions, see Roles.

4

Optional: Define one or more roles with the name TACP-N where N is a privilege level - a number from 1 to 15, and define the features for each role.

You can raise the "TACP" privileges in either Gaia Portal, or Gaia Clish.

Important - On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must connect to the Gaia Portal of the applicable Security Group.

Step

Instructions

1

In your web browser, connect to Gaia Portal.

2

Enter the username and password of the TACACS+ user.

After the TACACS server authentication, you have the privileges of the TACP-0 role.

3

To raise the privileges to the TACP-N role (N is a number from 1 to 15), click Enable at the top of the Overview page.

4

Enter the password for the user.

Important - On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must run the applicable commands in Gaia gClish of the applicable Security Group.

Step

Instructions

1

Connect to the command line.

2

Log in to the Gaia Clish using the username and password of the TACACS+ user.

3

After you are authenticated by the TACACS server, you get the Gaia Clish prompt.

At this point, you have the privileges of the TACP-0 role.

Run:

tacacs_enable TACP-<N>

Where N is the new TACP role (an integer from 1 to 15).

4

When prompted, enter the applicable password.

To go back to the TACP-0 role, press CTRL+D, or enter exit at the command prompt.

The user automatically exits the current shell and goes back to TACP-0.

Note - Do not define a new user for external users. An external user is one that is defined on an authentication server (such as RADIUS, or TACACS), and not on the local Gaia system.

Step

Instructions

1

Connect to the command line on Gaia.

2

Log in to Gaia Clish.

3

On Scalable Platforms, go to Gaia gClish:

Type gclish and press Enter.

3

Run:

show tacacs_enable