diff options
| -rw-r--r-- | docs/configuration/system/login.rst | 114 | 
1 files changed, 99 insertions, 15 deletions
| diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst index d920afe3..e5990315 100644 --- a/docs/configuration/system/login.rst +++ b/docs/configuration/system/login.rst @@ -82,8 +82,8 @@ The third part is simply an identifier, and is for your own reference.     <identifier> options <options>     Set the options for this public key. See the ssh ``authorized_keys`` man -   page for details of what you can specify here. To place a ``"``  -   character in the options field, use ``"``, for example  +   page for details of what you can specify here. To place a ``"`` +   character in the options field, use ``"``, for example     ``from="10.0.0.0/24"`` to restrict where the user     may connect from when using this key. @@ -189,7 +189,7 @@ Display OTP key for user  To display the configured OTP user key, use the command: -.. cfgcmd:: sh system login authentication user <username> otp  +.. cfgcmd:: sh system login authentication user <username> otp     <full|key-b32|qrcode|uri>  An example: @@ -242,35 +242,90 @@ Configuration  .. cfgcmd:: set system login radius server <address> key <secret> -   Specify the `<address>` of the RADIUS server user with the pre-shared-secret -   given in `<secret>`. Multiple servers can be specified. +   Specify the IP `<address>` of the RADIUS server user with the pre-shared-secret +   given in `<secret>`. + +   Multiple servers can be specified.  .. cfgcmd:: set system login radius server <address> port <port>     Configure the discrete port under which the RADIUS server can be reached. -   This defaults to 1812. - -.. cfgcmd:: set system login radius server <address> timeout <timeout> -   Setup the `<timeout>` in seconds when querying the RADIUS server. +   This defaults to 1812.  .. cfgcmd:: set system login radius server <address> disable     Temporary disable this RADIUS server. It won't be queried. +.. cfgcmd:: set system login radius server <address> timeout <timeout> + +   Setup the `<timeout>` in seconds when querying the RADIUS server. +  .. cfgcmd:: set system login radius source-address <address>     RADIUS servers could be hardened by only allowing certain IP addresses to     connect. As of this the source address of each RADIUS query can be -   configured. If this is not set, incoming connections to the RADIUS server -   will use the nearest interface address pointing towards the server - making -   it error prone on e.g. OSPF networks when a link fails and a backup route is -   taken. +   configured. + +   If unset, incoming connections to the RADIUS server will use the nearest +   interface address pointing towards the server - making it error prone on +   e.g. OSPF networks when a link fails and a backup route is taken. + +.. cfgcmd:: set system login radius vrf <name> + +   Source all connections to the RADIUS servers from given VRF `<name>`.  .. hint:: If you want to have admin users to authenticate via RADIUS it is     essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without     the attribute you will only get regular, non privilegued, system users. +TACACS+ +======= + +In addition to :abbr:`RADIUS (Remote Authentication Dial-In User Service)`, +:abbr:`TACACS (Terminal Access Controller Access Control System)` can also be +found in large deployments. + +TACACS is defined in :rfc:`8907`. + +Configuration +------------- + +.. cfgcmd:: set system login tacas server <address> key <secret> + +   Specify the IP `<address>` of the TACACS server user with the pre-shared-secret +   given in `<secret>`. + +   Multiple servers can be specified. + +.. cfgcmd:: set system login tacas server <address> port <port> + +   Configure the discrete port under which the TACACS server can be reached. + +   This defaults to 49. + +.. cfgcmd:: set system login tacas server <address> disable + +   Temporary disable this TACACS server. It won't be queried. + +.. cfgcmd:: set system login tacas server <address> timeout <timeout> + +   Setup the `<timeout>` in seconds when querying the TACACS server. + +.. cfgcmd:: set system login tacas source-address <address> + +   TACACS servers could be hardened by only allowing certain IP addresses to +   connect. As of this the source address of each TACACS query can be +   configured. + +   If unset, incoming connections to the TACACS server will use the nearest +   interface address pointing towards the server - making it error prone on +   e.g. OSPF networks when a link fails and a backup route is taken. + +.. cfgcmd:: set system login tacas vrf <name> + +   Source all connections to the TACACS servers from given VRF `<name>`. +  Login Banner  ============ @@ -299,13 +354,13 @@ Login limits     Set a limit on the maximum number of concurrent logged-in users on     the system. -   This option should be used with ``timeout`` option. + +   This option must be used with ``timeout`` option.  .. cfgcmd:: set system login timeout <timeout>     Configure session timeout after which the user will be logged out. -  Example  ======= @@ -326,3 +381,32 @@ the password.    set system login user vyos authentication otp key OHZ3OJ7U2N25BK4G7SOFFJTZDTCFUUE2    set system login user vyos authentication plaintext-password vyos + +TACACS Example +-------------- + +We use a vontainer providing the TACACS serve rin this example. + +Load the container image in op-mode. + +.. code-block:: none + +   add container image lfkeitel/tacacs_plus:latest + +.. code-block:: none + +   set container network tac-test prefix '100.64.0.0/24' + +   set container name tacacs1 image 'lfkeitel/tacacs_plus:latest' +   set container name tacacs1 network tac-test address '100.64.0.11' + +   set container name tacacs2 image 'lfkeitel/tacacs_plus:latest' +   set container name tacacs2 network tac-test address '100.64.0.12' + +   set system login tacacs server 100.64.0.11 key 'tac_plus_key' +   set system login tacacs server 100.64.0.12 key 'tac_plus_key' + +   commit + +You can now SSH into your system using admin/admin as a default user supplied +from the ``lfkeitel/tacacs_plus:latest`` container. | 
