Versions Compared

Old Version 2

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version Current

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Add_workflow_for_techpubs
AUTH1UserResourceIdentifier{userKey=8a00a0c86ca23f8a016cd6ed6fe900138a00a0c85f4199b1015f7edf811e000e, userName='null'}
JIRAIDAUTHTP-520
REV5UserResourceIdentifier{userKey=8a00a0c866dc3dee0166ea60b86f00148a00a0c85f4199b1015f7ea6e836000d, userName='null'}
REV6UserResourceIdentifier{userKey=8a00a0c85b2726c2015b58aa779d00038a00a0c85f4199b1015f7ea6e836000d, userName='null'}
REV3UserResourceIdentifier{userKey=8a00a0c866dc3dee0166ea60b86f00148a00a0c8652ba79201656dbe5f14001b, userName='null'}
REV1UserResourceIdentifier{userKey=8a00a0c86d32712b016d406f77af0008, userName='null'}

Panel

In this section:

Table of Contents
maxLevel34

Use the TACACS+ Settings page to manage Terminal Access Controller Access Control System (TACACS+) authentication.

...

If TACACS+ is enabled, the system prompts for a username and password whenever a user attempts to log in. Upon receiving the username and password, the

Spacevars
0product2
attempts to establish a connection connect with the TACACS+ server. When the connection is established, the user authentication request is transmitted to the TACACS+ server. The details of the request depend upon the authentication mode configured in the
Spacevars
0product2
.

...

For successful authentication, the username and password entered for TACACS+ authentication at run-time must match the values configured on the TACACS+ server. The username and password settings depend on the authentication mode (PAP/CHAP/ASCII).

TACACS+ Accounting

TACACS+ accounting support is provided for the

Spacevars
0product2
to track user interactions with the system and provide a user audit trail that can be used for resource allocation or billing.

GUI Interaction Logging

When TACACS+ logging is enabled, all the configured parameters that have changed from their original stored values are sent as a sequence of attribute-value pairs (AV pairs). The format is attributename=attributevalue, where the attributename is the name of the configurable parameter (similar to the GUI field name), and the attributevalue is the new value of that parameter.

...

Info
titleNote

For TACACS+ Authorization, all commands run in a single level of user access. The 

Spacevars
0product2
does not support the use of using TACACS+ to block page access to pages or prevent a user from running operations such as Submit. 

...

Configuring TACACS+ Settings

Configure From the TACACS+ Settings page, you can configure a single TACACS+ entry server or a redundant TACACS+ server for the system.

To Configure TACACS+ Settings

...

  1. Choose Admin > TACACS Settings.
    Image Modified


  2. Configure settings using the information in the following table as a guide.

    Caption
    0Table
    1TACACS Settings


    ItemDescription

    Enable TACACS+ Authentication

    Select the Enable TACACS+ Authentication checkbox.

    Enable TACACS+ Logging

    If enabled, all configuration changes over HTTP, HTTPS, SSH, Telnet, and System Console are logged.

    Note: Enable TACACS+ Authentication and Enable TACACS+ Logging can be independently enabled.

    TACACS+ Server Address

    Enter the TACACS+ server IP address to contact for authentication.

    Shared Secret

    Displays whether a password for TACACS+ authentication requests has been set.

    Edit SecretSelect the Edit Secret checkbox to set the shared secret password.
    Shared SecretEnter a password for the TACACS+ request. The client and the server must have the same secret.

    Shared Secret (confirm)

    		Reenter the shared secret to confirm.

    Server Timeout (in seconds)

    		Enter the time in seconds that a TACACS+ server does not respond to a request and is deemed unavailable. The valid range is 1 to 100 seconds; the default is 5 seconds.

    TACACS+ Authentication Mode

    Select a TACACS+ authentication mode from the drop-down list:

    ASCII—The username is sent as part of the TACACS client request, and the password is sent as part of the continue message.

    Password Authentication Protocol (PAP)— Both username and password are sent as part of the request message.

    Challenge Handshake Authentication Protocol (CHAP)—The password calculates the response to a random challenge. Both the challenge and response are sent as part of the TACACS+ request message.

    Enable TACACS+ Logging

    Select the Enable TACACS+ Logging checkbox to enable logging for all configuration changes over HTTP, HTTPS, SSH, Telnet, and the system console.

    TACACS+ Server

    Click the Create button to configure a redundant TACACS+ server.

    For information, see procedure To configure a redundant TACACS+ server configuration.



  3. Click Submit to make your changes take effect.

    A

     A message indicates that service will be temporarily interrupted.

    Click

  4. Click OK to confirm.

To Configure a Redundant TACACS+ Server Settings 

A redundant TACACS+ server configuration enhances the reliability and availability of network authentication and adds failover capabilities. This configuration provides the following capabilities:

  • Primary-Secondary Server Configuration: The system is configured to communicate with either the primary or secondary TACACS+ server.

  • Failover Mechanism: Upon detecting the failure of the primary server, the system seamlessly switches authentication control to the secondary server.

  • Automatic Recovery: When the primary server becomes available again, control reverts to it automatically, ensuring optimal resource utilization.

  • Fallback to Root User: If both primary and secondary servers fail, authentication control falls back to the root user.

Use the following procedure to configure a redundant TACACS+ server.

  1. Choose Admin > TACACS Settings.
  2. Click the Create button to add a TACACS+ Server.

    Image Added
    The List of TACACS Server table displays.  
  3. Configure settings using the information in the Add a TACACS+ Server frame.
    ItemDescription
    Server IP 

    Type the server IP address.

    The IP address of the TACACS+ server is used when attempting to authenticate via TACACS+. There is no default for the Server IP Address.

    Server Key

    Type the server key.

    Key length: Up to 120 characters

    This value is used for authentication of the TACACS+ request. The client and the server must have the same secret. There is no default for the Server Key. 

    Confirm Key

    Type the server key again.

    The server key verifies that the entered secret key matches the expected value. This confirmation step is crucial for preventing configuration errors and ensuring the security of authentication processes.

  4. Click Add. The TSCACS server appears under the List of TACACS Server frame. Note that you can only add two TACACS servers. 

    Image Added
    Info
    titleNote

    The List of TACACS Server table not only provides a comprehensive list of configured TACACS servers within the network infrastructure but also information about network authentication and authorization processes.


  5. Click Submit to save your configuration changes to the
    Spacevars
    0product2
    ,

Disabling TACACS+ Services

...

To Disable the TACACS+ Services

  1. To disable TACACS+ authentication, clear the Enable TACACS+ Authentication checkbox and click Submit

    Note that clicking Submit only disables the TACACS process and does not impact network operations.
  2. To disable TACACS+ logging, clear the Enable TACACS+ Logging checkbox and click Submit.