TACACS+ integration with AMP (via config file)

By JuliaOstrowski posted Jun 06, 2014 06:01 PM


NOTE: As of AWMS 7.0, ACS 5.0 is not supported. This condition may have changed in a later version of AirWave.

NOTE: These instructions are for modifying the TACACS config file rather than entering the configuration changes via the TACACS GUI. Configuring TACACS via the GUI is the preferred method. 
See KB: Integrating an ACS (TACACS+) server to Authenticate AWMS Users

NOTE: This is for authenticating users to access the AMP server, not for end users accessing APs.

In the TACACS+ configuration file:

1. Add a Shared secret 

2. New service called AMP with a role attribute set to <AMP> under the "user = DEFAULT" section 
key = "<shared secret>"
user = DEFAULT { 
default service = permit 
service = AMP 

role = AMP 
Note: We also need to restart the TACACS+ server in order for the changes to take effect.

If you have other settings in the TACACS+ configuration file for user groups, we can also define the AMP server under that section.

3. Then enable TACACS+ on AMP from the AMP Setup > Authentication page: 

4. Define the same role=AMP on the AMP Setup > Roles page.

We can also look at the logs on the TACACS+ to see users authenticating:

Thu May 15 12:29:13 2008 [17560]: Start authorization request
Thu May 15 12:29:13 2008 [17560]: Authorizing user 'DEFAULT' instead of 'kaveh'
Thu May 15 12:29:13 2008 [17560]: user 'DEFAULT' found
Thu May 15 12:29:13 2008 [17560]: nas:service=AMP (passed thru)
Thu May 15 12:29:13 2008 [17560]: nas:protocol=https (passed thru)
Thu May 15 12:29:13 2008 [17560]: nas:absent, server:role=AMP -> add role=AMP (k)
Thu May 15 12:29:13 2008 [17560]: added 1 args
Thu May 15 12:29:13 2008 [17560]: authorization query for 'kaveh' Apache from accepted