Page History
...
TACACS+ authentication support is provided for the following management interfaces on the
Spacevars | ||
---|---|---|
|
- HTTP/HTTPS
- Console Login
- SSH
- Telnet
If TACACS+ is enabled, the system prompts for a username and password whenever a user attempts to log in. Upon receiving the username and password, the
Spacevars | ||
---|---|---|
|
Spacevars | ||
---|---|---|
|
...
- The TACACS server authenticates the user, and login is successful.
- Connection to the TACACS+ server fails (times out). Administrator password authentication is used for the next login attempt.
- Connection is established with the TACACS+ server, but the authentication parameters (username and password) are not validated, and authentication fails. TACACS+ authentication mechanism is used again for the next login attempt.
...
- ASCII—The username is sent as part of the TACACS client request, and the password is sent as part of the continue message.
- Password Authentication Protocol (PAP)—Both username and password are sent as part of the request message.
- Challenge Handshake Authentication Protocol (CHAP)—The password is used to calculate calculates the response to a random challenge. Both the challenge and response are sent as part of the TACACS+ request message.
For successful authentication, the username and password entered for TACACS+ authentication at run-time must match the values that are configured on the TACACS+ server. The username and password settings depend on the authentication mode (PAP/CHAP/ASCII).
...
When TACACS+ logging is enabled, all the configured parameters that have changed from their original stored values are sent as a sequence of attribute-value pairs (AV pairs). The format is attributename=attributevalue, where the attributename is the name of the configurable parameter (similar to the GUI field name), and the attributevalue is the new value of that parameter.
All TACACS+ parameters except for TACACS+ Authentication Mode are applicable for apply to both logging and authentication features.
...
- service=http
- page_name=symbolic name of the web page e.g. pg_vpn
- operation=self explanatory action name such as submit, add, delete
For Telnet, SSH, and console, the logging messages consists consist of the following: Command=issued command.
If the parameter value or command name exceeds the maximum AV Pair length of 255 characters, then the message is broken into multiple AV pairs , as follows (this is a TACACS+ limitation):
...
Info | ||||
---|---|---|---|---|
| ||||
For TACACS+ Authorization, all commands run in a single level of user access. The
|
...
The
Spacevars | ||
---|---|---|
|
If either TACACS+ or RADIUS are is enabled, but the system is not able to cannot communicate with the server (TACACS+ or RADIUS, respectively), then the system reverts to administrator password authentication.
...
Choose Admin > TACACS Settings.
Configure settings using the information in the following table as a guide.
Caption 0 Table 1 TACACS Settings Item Description Enable TACACS+ Authentication
Select the Enable TACACS+ Authentication checkbox.
Enable TACACS+ Logging
If enabled, all configuration changes over HTTP, HTTPS, SSH, Telnet, and System Console are logged.
Note: Enable TACACS+ Authentication and Enable TACACS+ Logging can be independently enabled.
TACACS+ Server Address
Enter the TACACS+ server IP address to contact for authentication.
Shared Secret Displays whether a password for TACACS+ authentication requests has been set.
Edit Secret Select the Edit Secret checkbox to allow you to set the shared secret password. Shared Secret Enter a password for the TACACS+ request. The client and the server must have the same secret. Shared Secret (confirm)
Reenter the shared secret to confirm. Server Timeout (in seconds)
Enter the amount of time in seconds that a TACACS+ server does not respond to a request and is deemed to be unavailable. Valid The valid range is 1 to 100 seconds, ; the default is 5 seconds. TACACS+ Authentication Mode
Select a TACACS+ authentication mode from the drop-down list:
•ASCII—The username is sent as part of the TACACS client request, and the password is sent as part of the continue message.
•Password Authentication Protocol (PAP)— Both username and password are sent as part of the request message.
•Challenge Handshake Authentication Protocol (CHAP)—The password is used to calculate calculates the response to a random challenge. Both the challenge and response are sent as part of the TACACS+ request message.
Enable TACACS+ Logging
Select the Enable TACACS+ Logging checkbox to enable logging for all configuration changes over HTTP, HTTPS, SSH, Telnet, and the system console.
Click Submit to make your changes take effect.
- A message indicates that service will be temporarily interrupted. Click OK to confirm.
...