TACACS+ Management Configuration Page
Kron PAM uses its own TACACS+ server to authenticate users. The Kron PAM TACACS+ configuration can be done easily from the Kron PAM web GUI.
To configure TACACS+:
- Navigate to Administration > TACACS Management.
- Fill in all the required fields.
- Click Save.
Instance Name: The instance name the TACACS+ configurations will be applied to.
Skip Logging Group: User groups are not to be logged.
Prompt Username and Password: Username/Password prompt to display instead of the default prompt.
Authorization Exec Service Names: This configuration option should be used if the device is not using the standard service exec. PaloAlto and ppp options can be set.
Cache Update Interval: The Cache Update Interval time can be changed and specified using this field. During this cache interval, configuration changes in Kron PAM will not affect the TACACS Server.
Log Settings: The log level can be changed using the checkboxes. Debug, info, and error modes are available to check the logs.
LDAP Configuration Settings: If there is an LDAP configuration in the Kron PAM Setup Wizard, it will be shown in the LDAP configuration settings. Also, multiple LDAP configurations can be added by using the Add Conf button.
The Add Conf button shows the following popup:
The fields and their meanings are as follows:
- Config Name: The name used to match with the externalDirectorySource attribute of the users. These names should be matched with the LDAP Source Name parameter in the LDAP Configuration settings on the LDAP Manager page. For example, if there are more than two LDAP settings in an environment, one LDAP configuration is called as “ldap1” and the other one “ldap2”. Users from ldap1 and ldap2 will have externalDirectorySource attributes as ldap1 and ldap2 respectively. In TACACS Manager, Config Names should be set up in the same way so that the TACACS module reads the externalDirectorySource parameter for the users and authenticates them from the correct LDAP source.
- LDAP Servers: LDAP server URL in the following format: “ldap://10.10.10.10: 389” or “ldaps://10.10.10.10:636”. If there are multiple servers for the same LDAP configuration, multiple URL’s can be defined in the same field, separated by a space character as follows: “ldaps://10.10.10.10:636 ldaps://10.10.10.20:636”. In this scenario, the TACACS module would try to reach the first URL, and if it gets a connection error, it tries to reach the second, etc.
- LDAP Base: LDAP base DN (distinguished name). Example: “dc=example,dc=com”
- Active Directory: This flag should be enabled if the integrated LDAP server is an Active Directory server.
- AD Domain: Active Directory domain name. Should be provided if Active Directory is enabled.
- LDAP Auth. Type: “rest” or “ldap”. “ldap” is the default choice and should be selected if the TACACS module connects directly to LDAP servers for authentication. “rest” should be selected in cases that there is no direct connection between the TACACS module and the LDAP servers. (Such as cases where TACACS module is installed on Tenant network). In this case authentication is done via the Kron PAM Authentication module.
- REST Auth. URL: The URL of the authentication module, in the format “http://10.20.30.40:8087”