summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/configuration/system/login.rst114
1 files changed, 99 insertions, 15 deletions
diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst
index d920afe3..e5990315 100644
--- a/docs/configuration/system/login.rst
+++ b/docs/configuration/system/login.rst
@@ -82,8 +82,8 @@ The third part is simply an identifier, and is for your own reference.
<identifier> options <options>
Set the options for this public key. See the ssh ``authorized_keys`` man
- page for details of what you can specify here. To place a ``"``
- character in the options field, use ``&quot;``, for example
+ page for details of what you can specify here. To place a ``"``
+ character in the options field, use ``&quot;``, for example
``from=&quot;10.0.0.0/24&quot;`` to restrict where the user
may connect from when using this key.
@@ -189,7 +189,7 @@ Display OTP key for user
To display the configured OTP user key, use the command:
-.. cfgcmd:: sh system login authentication user <username> otp
+.. cfgcmd:: sh system login authentication user <username> otp
<full|key-b32|qrcode|uri>
An example:
@@ -242,35 +242,90 @@ Configuration
.. cfgcmd:: set system login radius server <address> key <secret>
- Specify the `<address>` of the RADIUS server user with the pre-shared-secret
- given in `<secret>`. Multiple servers can be specified.
+ Specify the IP `<address>` of the RADIUS server user with the pre-shared-secret
+ given in `<secret>`.
+
+ Multiple servers can be specified.
.. cfgcmd:: set system login radius server <address> port <port>
Configure the discrete port under which the RADIUS server can be reached.
- This defaults to 1812.
-
-.. cfgcmd:: set system login radius server <address> timeout <timeout>
- Setup the `<timeout>` in seconds when querying the RADIUS server.
+ This defaults to 1812.
.. cfgcmd:: set system login radius server <address> disable
Temporary disable this RADIUS server. It won't be queried.
+.. cfgcmd:: set system login radius server <address> timeout <timeout>
+
+ Setup the `<timeout>` in seconds when querying the RADIUS server.
+
.. cfgcmd:: set system login radius source-address <address>
RADIUS servers could be hardened by only allowing certain IP addresses to
connect. As of this the source address of each RADIUS query can be
- configured. If this is not set, incoming connections to the RADIUS server
- will use the nearest interface address pointing towards the server - making
- it error prone on e.g. OSPF networks when a link fails and a backup route is
- taken.
+ configured.
+
+ If unset, incoming connections to the RADIUS server will use the nearest
+ interface address pointing towards the server - making it error prone on
+ e.g. OSPF networks when a link fails and a backup route is taken.
+
+.. cfgcmd:: set system login radius vrf <name>
+
+ Source all connections to the RADIUS servers from given VRF `<name>`.
.. hint:: If you want to have admin users to authenticate via RADIUS it is
essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without
the attribute you will only get regular, non privilegued, system users.
+TACACS+
+=======
+
+In addition to :abbr:`RADIUS (Remote Authentication Dial-In User Service)`,
+:abbr:`TACACS (Terminal Access Controller Access Control System)` can also be
+found in large deployments.
+
+TACACS is defined in :rfc:`8907`.
+
+Configuration
+-------------
+
+.. cfgcmd:: set system login tacas server <address> key <secret>
+
+ Specify the IP `<address>` of the TACACS server user with the pre-shared-secret
+ given in `<secret>`.
+
+ Multiple servers can be specified.
+
+.. cfgcmd:: set system login tacas server <address> port <port>
+
+ Configure the discrete port under which the TACACS server can be reached.
+
+ This defaults to 49.
+
+.. cfgcmd:: set system login tacas server <address> disable
+
+ Temporary disable this TACACS server. It won't be queried.
+
+.. cfgcmd:: set system login tacas server <address> timeout <timeout>
+
+ Setup the `<timeout>` in seconds when querying the TACACS server.
+
+.. cfgcmd:: set system login tacas source-address <address>
+
+ TACACS servers could be hardened by only allowing certain IP addresses to
+ connect. As of this the source address of each TACACS query can be
+ configured.
+
+ If unset, incoming connections to the TACACS server will use the nearest
+ interface address pointing towards the server - making it error prone on
+ e.g. OSPF networks when a link fails and a backup route is taken.
+
+.. cfgcmd:: set system login tacas vrf <name>
+
+ Source all connections to the TACACS servers from given VRF `<name>`.
+
Login Banner
============
@@ -299,13 +354,13 @@ Login limits
Set a limit on the maximum number of concurrent logged-in users on
the system.
- This option should be used with ``timeout`` option.
+
+ This option must be used with ``timeout`` option.
.. cfgcmd:: set system login timeout <timeout>
Configure session timeout after which the user will be logged out.
-
Example
=======
@@ -326,3 +381,32 @@ the password.
set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2
set system login user vyos authentication plaintext-password vyos
+
+TACACS Example
+--------------
+
+We use a vontainer providing the TACACS serve rin this example.
+
+Load the container image in op-mode.
+
+.. code-block:: none
+
+ add container image lfkeitel/tacacs_plus:latest
+
+.. code-block:: none
+
+ set container network tac-test prefix '100.64.0.0/24'
+
+ set container name tacacs1 image 'lfkeitel/tacacs_plus:latest'
+ set container name tacacs1 network tac-test address '100.64.0.11'
+
+ set container name tacacs2 image 'lfkeitel/tacacs_plus:latest'
+ set container name tacacs2 network tac-test address '100.64.0.12'
+
+ set system login tacacs server 100.64.0.11 key 'tac_plus_key'
+ set system login tacacs server 100.64.0.12 key 'tac_plus_key'
+
+ commit
+
+You can now SSH into your system using admin/admin as a default user supplied
+from the ``lfkeitel/tacacs_plus:latest`` container.