Set up a local TACACS+ server using a virtual machine

In this topic, you will learn how to install and run local TACACS+ servers that work together with Portnox™ Cloud using virtual machines.

For information about how the Portnox Cloud TACACS+ service works, see the following topic: How does the Portnox Cloud TACACS+ service work?.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the right-hand side pane, find and click on the LOCAL TACACS+ SERVICE heading.

    More options appear under the LOCAL TACACS+ SERVICE heading and description.

  3. Under the LOCAL TACACS+ IMAGES heading, click on the relevant link to download the local TACACS+ server virtual machine file:

    • Click on the VMware image link, if you use one of the following hypervisors: VMware Workstation, VMware Fusion, VMware ESXi.
    • Click on the HyperV image link, if you use one of the following hypervisors: Microsoft Hyper-V, Oracle VirtualBox, Citrix Hypervisor, Proxmox Virtual Environment, Xen Project.

    Save the downloaded file locally, you will use it later, after you prepare the configuration.

  4. Under the LOCAL TACACS+ heading, click on the Add a new Local TACACS+ profile (VM) link to begin the configuration process for the new local TACACS+ instance.

    Your browser will display the Add new Local TACACS+ cluster heading with configuration fields for the new local TACACS+ instance.

  5. In the Name field, enter a name for your local TACACS+ server.

    This name is also used as the hostname that your NAS devices will use to contact the local TACACS+ server. However, using the IP address in NAS configuration is recommended.

  6. In the Static IP field, enter the static local IP for your local TACACS+ server.

    This is the IP that your NAS devices will use to contact the local TACACS+ server.

  7. In the Netmask field, enter the netmask defining the subnet for the entered static IP address.
  8. In the Gateway field, enter the default gateway IP address for the entered static IP address.
  9. In the Broadcast field, enter the broadcast IP address for the subnet of the entered static IP address.

  10. Add DNS servers:
    1. In the Domain Name Servers (DNS) section, click on the Add DNS link to add the IP of at least one DNS resolver.
    2. In the IP field, enter the IP address of the DNS resolver and click on the Add button.
    3. Repeat the above process if necessary by clicking on the Add DNS link to add another DNS resolver.

      You can also click on the Remove link on the right-hand side, if you want to remove one of the added DNS resolvers.

  11. Click on the  👁  icon and hold it to note down the value of the Shared Secret field to use it when configuring NAS devices to contact this local TACACS+ server.

    If you want to generate a different shared secret, click on the Regenerate link on the right-hand side.

    Note: After you save the server settings and view them, you can use the  ⧉  icon to copy the value to the clipboard.
  12. Optional: In the Syslog Destination field, enter the IP and port of a local syslog server, if you want to stream logs from the virtual machine to a syslog server.

    If you leave this field empty, Portnox Cloud will not send syslog streams. If you omit the port number, Cloud will use the default port 514.

  13. Optional: In the SNMP CONFIGURATION section, click on the Enable SNMP v1 and v2c checkbox to enable support for SNMP v1/v2 protocols on the local TACACS+ server.
    1. In the Community string field, enter the community string for this local TACACS+ server.

      Write down this community string, so you can use it later to configure other devices. The community string acts like a password/shared secret and lets other devices authenticate via SNMP v1 or v2 with the local TACACS+ server.

  14. Optional: In the SNMP CONFIGURATION section, click on the Enable SNMP v3 checkbox to enable support for the secure SNMP v3 protocol on the local TACACS+ server and provide the configuration information.
    1. In the Username field, enter the SNMP v3 username.

      The SNMP username is a unique identifier for an SNMP v3 user.

    2. In the Password field, enter the SNMP v3 password.

      The SNMP v3 password, also known as the authentication key or authentication passphrase, is a shared secret between the SNMP manager and the SNMP agent.

    3. In the Authentication protocol field, select the SNMP v3 authentication protocol.

      The authentication protocol determines the method used to authenticate the SNMP v3 user: HMAC-MD5 or HMAC-SHA.

    4. In the Privacy password field, enter the SNMP v3 privacy password.

      The privacy password, also known as the encryption key or encryption passphrase, is used for encrypting SNMP v3 messages using symmetric encryption.

    5. In the Privacy protocol field, select the SNMP v3 privacy protocol.

      The privacy protocol is the method used to encrypt SNMP v3 messages: DES or AES 128.

  15. Optional: If you want to access the local TACACS+ instance using SSH, click on the Enable SSH checkbox.

    To connect to the TACACS+ instance using the PuTTY application:

    1. Click on the Download PuTTY SSH key link.
    2. Run PuTTY.
    3. In the PuTTY configuration window, go to Connection > SSH > Auth > Credentials and in the Private key file for authentication, select the PuTTY SSH key (private.ppk) that you downloaded earlier.

    4. Go back to the Session setting, and in the Host Name (or IP address) field, enter the host name or the IP address of the local TACACS+ instance.
    5. Optional: In the Saved Sessions field, enter a name for this session, for example, Local TACACS+, and then click on the Save button to save these settings for later.
    6. Click on the Open button to connect.
    7. At the login as: prompt, type tc and press the Enter key.

  16. Click on the Save and Download button to save the configuration and download the configuration ISO image.
    Important: The downloaded ISO image is required to configure the virtual machine file downloaded earlier.

  17. Run the downloaded local TACACS+ virtual machine file in a hypervisor together with the downloaded configuration.