For TACACS, the accounting file ( /etc/tac_plus.conf) should contain the following information:

1. key = testing123

2. accounting file = /var/log/tac.acct

3. acl = default {
permit =
###
}

4. Group Definition:
group = sdwan_admin {
default service = permit
}

group = sdwan_viewer {
default service = deny
service = viewer {
}
}

5. For admin users:
user = tac_sdwan1 {
global = cleartext tac_sdwan1_pwd
member = sdwan_admin
}

6. For viewer users:
user = tac_sdwan2 {
global = cleartext tac_sdwan2_pwd
member = sdwan_viewer
}

7. Restart TACACS process: /etc/init.d/tac_plus restart
 

For RADIUS

1. Configure Clients File: /etc/raddb/clients
Add the following entry for each subnet where you want to configure RADIUS clients

client {
secret = testing123
shortname = private-network
}

2. Configure Users file: /etc/raddb/users. Add following entry for each ADMIN user
rad_sdwan1 Cleartext-Password := "rad_sdwan1_pwd"
Reply-Message=" ADMIN"

3. Configure Users file: /etc/raddb/users. Add following entry for each VIEWER user
rad_sdwan2 Cleartext-Password := "rad_sdwan2_pwd"
Reply-Message= "GUEST"

4. Restart RADIUS: /etc/init.d/radiusd restar

5. Radius/TACACS is a IETF/RFC standard, products with RADIUS/TACACS capability/support should work. 

• In addition to ADMIN and GUEST we do have roles for Security and Network admin.
  • "SECURITY_ADMIN" 
    • Admin privileges to all security related settings/configurations [all network related settings are greyed out]
  • "NETWORK_ADMIN" 
    • Admin privileges to all network related settings/configurations [all security related settings are greyed out]
• The radius attribute 18 (reply-message) to be used on server is as follows:
  • "SECURITY_ADMIN"
  • "NETWORK_ADMIN"