TACACS+ (Terminal Access Controller Access-Control System Plus) is a protocol, using tcp port 49, that provides login control for your network devices.   Setting up a TACACS+ server gives you the ability to have a central server for controlling Access, Authorization, and Accounting of your routers, switches and just about any other network device.  TACACS+ runs on Linux, Sun and Windows and best of all its free.

Part 1. Configure the Dell N-series for TACACS+ at the CLI

1. Configure a local user named user1 with password user1 and level 15 privilege:

console(config)# username user1 password user1 level 15

2. Define the TACACS+ server and specify the shared secret key “mysecretkey”

console(config)# tacacs-server host 192.168.0.105
console(config)# tacacs-server key mysecretkey

3. Create an authentication method called local_tacacs that will attempt to authenticate via local DB, then use the TACACS+ (you can chage sequences):

console(config)# aaa authentication login local_tacacs local tacacs

4. Bind this authentication method list to the telnet/ssh line and https (there are five access lines: console, Telnet, SSH, HTTP, and HTTPS):

(config)# line telnet
(config-line)# login authentication local_tacacs
(config)# line ssh
(config-line)# login authentication local_tacacs
(config)#ip https authentication local tacacs

Part 2. Installing and Configuring the TACACS+ server for Windows Server 2008R2/2012R2

As a best practice, use a dedicated server to handle device authentication.

1. Download and run TACACSSetup_v*.exe installation wizard from http://tacacs.net. This wizard will walk you through the software installation on your server.

2. You will be prompted to enter the TACACS+ shared secret during the wizard setup. This is the same shared secret you entered on the Switch CLI in Stage 1. If you would like to change this, you can do so in clients.xml.

3. Create Group like "Dell_Switch_Auth" and add users into the group or you can use AD groups.

4. Open file authentication.xml (located C:\ProgramData\TACACS.net\config) and make changes in <AuthenticationType>

4.1 Local Group:

<UserGroup>
      <Name>DEFAULT</Name>
      <AuthenticationType>Localhost</AuthenticationType>
      <LocalhostGroupName>Dell_Switch_Auth</LocalhostGroupName> 
 </UserGroup>

4.2 Active Directory Group:

<UserGroup>
	<Name>Dell Switch Administrator</Name>
      	<AuthenticationType>Windows_Domain</AuthenticationType>   
      	<LDAPServer>192.168.0.55:389</LDAPServer>
   	<LDAPUserDirectorySubtree>cn=Users,DC=contoso,DC=com</LDAPUserDirectorySubtree> 
	<LDAPGroupName>Network Operations</LDAPGroupName>
	<LDAPAccessUserName>Administrator</LDAPAccessUserName>
	<LDAPAccessUserPassword ClearText="password" DES=""></LDAPAccessUserPassword> 
</UserGroup>

LDAPServer: You can find your LDAP server using:

Start -> Run -> nslookup
set type=all
_ldap._tcp.dc._msdcs.DOMAIN_NAME

Check user belongs to group:

net user USERNAME /domain

Check groups in domain:

net group /domain

5. Check you have port 49 on local IP.

netstat -na | findstr :49

If not, open file tacplus.xml (located C:\ProgramData\TACACS.net\config) and make changes in <LocalIP>192.168.0.150</LocalIP>.
Reastart TACACS.net service.

C:\>net stop tacacs.net
The TACACS.net service is stopping.
The TACACS.net service was stopped successfully.
C:\>net start tacacs.net
The TACACS.net service is starting.
The TACACS.net service was started successfully.

6. 

At this point, you should be able to login to the Dell N-series Switch using your domain credentials.

Part 3. Security Analysing

TACACS+ ports: TCP:49

Part 4. Troubleshooting

Run TACVerify
This utility will check your configuration for syntax errors. It can be found in the Program Menu. If the tool detects any errors, go back and fix them and run the utility again.
Run TACTest
Before you attempt to run TACACS+ on any external Clients in a lab or production environment, it is critical that you first run TACTest to verify that the system is working correctly. If TACTest fails, your external Clients will fail also. Run tactest /? from the command line for options. Here is a simple example:
C:\> tactest -k mykey -u myuser -p mypassword

Here are some commands that show information about TACACS+.

Show authentication methods - Displays authentication configuration
Show tacacs - Shows configured TACACS servers
Show aaa servers - Shows all configured aaa servers and statistics
Show log - Shows system logs and messages. Informs if TACACS authentication attempts have been rejected by a server, and other useful information.

Part 5. Logging and Accounting

Usually TACACS logs are stored: C:\ProgramData\TACACS.net\Logs
To activate TACACS accounting on Dell switch:

aaa accounting commands "dfltCmdList" start-stop tacacs
line ssh
   accounting exec default
   accounting commands default

Part 1. Configure the Dell N-series for RADIUS at the CLI

1. Configure a local user named user1 with password user1 and level 15 privilege:

• console(config)# username user1 password user1 level 15

2. Define the RADIUS server and specify the shared secret key “mysecretkey”

For authenticating users, the RADIUS standard has become the protocol of choice by administrators of large networks. To accomplish the authentication in a secure manner, the RADIUS client and RADIUS server must both be configured with the same shared password or “secret”. This “secret” is used to generate one-way encrypted authenticators that are present in all RADIUS packets. The “secret” is never transmitted over the network.

• console(config)# radius-server host 192.168.0.105
• console(config)# radius-server key mysecretkey

3. Create an authentication method called local_radius that will attempt to authenticate via local DB, then use the RADIUS (you can chage sequences):

• console(config)# aaa authentication login local_radius local radius

4. Bind this authentication method list to the telnet/ssh line and https (there are five access lines: console, Telnet, SSH, HTTP, and HTTPS):

• (config)# line telnet
• (config-line)# login authentication local_radius
• (config)# line ssh
• (config-line)# login authentication local_radius
• (config)#ip https authentication local radius

Part 2. Installing and Configuring the RADIUS server for Windows Server 2008R2

As a best practice, use a dedicated server to handle device authentication.

1. Install Network Policy And Access Windows Server Role.

2. Go to NPS, expand on RADIUS Clients and Servers, right-click on RADIUS clients and choose new.

3. FRIENDLY NAME = whatever you like. Probably the hostname.
ADDRESS is the IP Address or DNS name of the device – your choice.
Select MANUAL for the Shared Secret and type in your <SHARED_SECRET>. This is the same shared secret you entered on the Switch CLI in stage 1.
Notice that we're using "RADIUS Standard" in advance tab.  There's no option for "Dell" and that's fine.  Click OK.

4. Create a new Connection Request Policy and name it something like Network Switches with AAA. Select next and add a new condition. Scroll down to RADIUS Client Properites and select Client IPv4 address. Enter switch IP address. Continue through the wizard by accepting the default settings.

5. Create a new NPS Network Policy.

Right click on POLICIES -> NETWORK POLICY and click NEW. Give your policy a useful name. Click NEXT

ADD a Condition: Our condition is going to be WINDOWS GROUP. Click ADD.

On the WINDOWS GROUPS screen, click ADD GROUPS
Enter the name of your group and click check names, then ADD.
Your group might be Domain Admins. It might be a separate group. I’ve chosen “RADIUS – DellSwitch” so I can have different levels of RADIUS authentication based on switches, core switching if I had them.

6. Let’s add another condition. Click ADD. Select the condition “CLIENT FRIENDLY NAME” and click ADD.

Enter the client friendly name. I use the HOSTNAME of the device. Click OK
With our group and our device, we can click NEXT
Choose "access grant". Click NEXT.
The only one that matters, is to ensure that PAP is checked. Click NEXT.
Yup, that’s very bad, we get it. Click NO.
No constraints, we’re good. Click NEXT.
Select each of the FRAMED-PROTOCOL and SERVICE-TYPE and click REMOVE.

Now click ADD:
Choose SERVICE-TYPE and click ADD:
Change OTHERS to ADMINISTRATIVE and click OK:
Click on VENDOR SPECIFIC. Then click ADD:
Choose NAME=CISCO-AV-PAIR and VENDOR=CISCO. Click ADD.
The ATTRIBUTE INFORMATION window will pop up. Click ADD.
Enter the string “shell:priv-lvl=15” to give Administrator level permissions.
For read-only access you should be able to specify priv-lvl=7 if you need to.
Click OK.

Click OK, Click OK, Click CLOSE.
Click NEXT to get to the COMPLETING screen:
Click FINISH.
At this point, you should be able to login to the Dell N-series Switch using your domain credentials.

Part 3. Security Analysing

Radius ports: 1645,1646,1700,1812,1813,3799

NOTE:Only consern here is useing PAP (Password Authentification Protocol) authentication scheme, which is not acceptable from security perspectives.
PAP transmits unencrypted ASCII passwords over the network and is therefore considered insecure.

The shared key is used for the client (say a switch, wireless access point) to be able to authenticate the and trust the RADIUS server it is sending requests to.

RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.

You can decrypt password useing packet capture like Wireshark. For this you also need Secred Key.

I decrypt the password sent from a Dell device to a RADIUS server. I know the shared-secret key and have entered it in Preferences-->Protocols-->Radius-->Shared Key of the Wireshark settings.

Part 4. Troubleshooting

Here are some commands that show information about RADIUS.

Show authentication methods - Displays authentication configuration
Show radius statistics - Displays radius authentication attempts, failures, and basic statistics.
Show aaa servers - Shows all configured aaa servers and statistics
Show log - Shows system logs and messages. Informs if Radius authentication attempts have been rejected by a server, and other useful information.

Part 5. Logging

I should have started with the windows server 2008 r2 "NPS accounting" logs (at...\\\\system32\\\\LogFiles by default).

Dot1x controls allows a network admin to apply role based policies across the network, along with other possible features.  In this document I’m going to show a setup of Mac-auth-bypass setup for an N-series switch along with the server backend configuration to authenticate  it in a different VLAN.

Part 1. Configure the Dell N-series for RADIUS at the CLI

1. Allows the switch to perform authentication:

console(config)# authentication enable

2. Enable port based dot1x authentication before traffic can be passed. (ATTENTION!!! If you configure remotely, first force the uplink port into an authorized state, otherwise you will loose switch after tis command):

dot1x system-auth-control

3.  Tells the switch to use the configured radius server for dot1x attemtps

aaa authentication dot1x default radius

4. Lets radius servers supply vlan changes based upon dot1x rules

aaa authorization network default radius

5. Configure RADIUS server host:

radius-server host auth <SERVERIP>
name “Default-RADIUS-Server” 
usage 802.1x 
key “<SERVERKEY>”

6. Configure uplink port (force the uplink port into an authorized state):

Int gi1/0/48 
Switchport mode trunk dot1x port-control force-authorized

7. Host facing port configuretion:

int gi1/0/36 
dot1x port-control mac-based
dot1x reauthentication
dot1x mac-auth-bypass
authentication order mab

If you need assign vlan:

switchport mode general

From this stage switch will perform authentication utilizing the MAC address of the device for the username and password with an MD5 EAP type.

Part 2. Installing and Configuring the RADIUS server for Windows Server 2008R2 / 2012R2

As a best practice, use a dedicated server to handle device authentication.

1. Install Network Policy And Access Windows Server Role.

2. Go to NPS, expand on RADIUS Clients and Servers, right-click on RADIUS clients and choose new.

3. FRIENDLY NAME = whatever you like. Probably the switch series name. ADDRESS is the IP Address or DNS name of the device (if you need put group of devices, use /mask). Select MANUAL for the Shared Secret and type in your <SHARED_SECRET>. This is the same shared secret you entered on the Switch CLI in stage 1. Notice that we're using "RADIUS Standard" in advance tab.  There's no option for "Dell" and that's fine.  Click OK.

4. Create a new NPS Network Policy.

Right click on POLICIES -> NETWORK POLICY and click NEW. Give your policy a useful name. Click NEXT

ADD a Condition: Our condition is going to be USER GROUP. Click ADD.

Add group grom Active Directory. Members of this group will be authorised.

The Constraints tab is where you change what types of requests are allowed and if not met network access will be denied.  Switch uses MD5 encryption type, but this encryption was removed since Microsoft in Server 2008.  To re-enable it you have to perform a registry edit. This is REQUIRED, otherwise the EAP type will not negotiate and fail, thus the authentication will not occur. 

Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\4]
"RolesSupported"=dword:0000000a
"FriendlyName"="MD5-Challenge"
"Path"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,\
  00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,52,00,\
  61,00,73,00,63,00,68,00,61,00,70,00,2e,00,64,00,6c,00,6c,00,00,00
"InvokeUsernameDialog"=dword:00000001
"InvokePasswordDialog"=dword:00000001

When values are set, restart the NPS Service

The last tab is Settings, this is where you define attributes to send back to the switch.  In our case we are sending back to move anyone who authenticates to the switch into vlan 20 and to allow them access.

5. Create users and add them to the group.

User name should be in format of all capitals 1234567890AB, do not forget select "Store password using reversible encryption". Change password to 1234567890AB and you ready to authenticate the PC.

Part 4. Troubleshooting

Show dot1x interface <interface>
Show authentication statistics <interface>

1. Make sure switch is already configured with an IP address and is reachable within the network.

2. Make sure there is an account created with Privilege Level 15. (show users accounts

3. Caution: Before disabling either telnet or HTTP access, verify SSH or HTTPS access.

4. To enable SSH, enter the following commands

• console(config)#crypto key generate rsa
• console(config)#crypto key generate dsa
• console(config)#ip ssh protocol 2
• console(config)#ip ssh server

5. Disable telnet:

• console(config)# ip telnet server disable

6. Enable HTTPS:

• console(config)# crypto certificate 1 generate
• console(config-crypto-cert)#key-generate
• console(config)# ip http secure-server

7. Disable HTTP: 

• console(config)# no ip http server

8. SNMP

• no snmp-server community
• snmp-server group snmpgroup v3 priv
• snmp-server user snmpuser snmpgroup auth-sha <AUTHKEY> priv-des <SHAREDKEY>