In this section:

Use the TACACS+ Settings page to manage Terminal Access Controller Access Control System (TACACS+) authentication.

About TACACS+ Management

Terminal Access Controller Access Control System (TACACS)+ is an authentication and accounting protocol designed for use with UNIX platforms. TACACS+ divides authentication, authorization, and accounting into separate functions. A remote TACACS+ server stores the store user and password information. This information is supplied during the authentication process. TCP is used as the communications protocol for TACACS+ messages.

TACACS+ authentication support is provided for the following management interfaces on EdgeMarc:

  • HTTP/HTTPS
  • Console Login
  • SSH
  • Telnet

If TACACS+ is enabled, the system prompts for a username and password whenever a user attempts to log in. Upon receiving the username and password, the EdgeMarc attempts to establish a connection with the TACACS+ server. When the connection is established, the user authentication request is transmitted to the TACACS+ server. The details of the request depend upon the authentication mode configured in the EdgeMarc.

TACACS+ authentication may result in any of the following scenarios:

  • The TACACS server authenticates the user, and login is successful.
  • Connection to the TACACS+ server fails (times out). Administrator password authentication is used for the next login attempt.
  • Connection is established with the TACACS+ server, but the authentication parameters (username and password) are not validated, and authentication fails. TACACS+ authentication mechanism is used again for the next login attempt.

TACACS+ Authentication

The EdgeMarc supports the following TACACS+ authentication modes:

  • ASCII—The username is sent as part of the TACACS client request, and the password is sent as part of the continue message.
  • Password Authentication Protocol (PAP)—Both username and password are sent as part of the request message.
  • Challenge Handshake Authentication Protocol (CHAP)—The password calculates the response to a random challenge. Both the challenge and response are sent as part of the TACACS+ request message.

For successful authentication, the username and password entered for TACACS+ authentication at run-time must match the values configured on the TACACS+ server. The username and password settings depend on the authentication mode (PAP/CHAP/ASCII).

TACACS+ Accounting

TACACS+ accounting support is provided for the EdgeMarc to track user interactions with the system and provide a user audit trail that can be used for resource allocation or billing.

GUI Interaction Logging

When TACACS+ logging is enabled, all the configured parameters that have changed from their original stored values are sent as a sequence of attribute-value pairs (AV pairs). The format is attributename=attributevalue, where the attributename is the name of the configurable parameter (similar to the GUI field name), and the attributevalue is the new value of that parameter.

All TACACS+ parameters except for TACACS+ Authentication Mode apply to both logging and authentication features.

For the GUI interface, the TACACS+ logging message also contains the following protocol-specific fields:

  • service=http
  • page_name=symbolic name of the web page e.g. pg_vpn
  • operation=self explanatory action name such as submit, add, delete

For Telnet, SSH, and console, the logging messages consist of the following: Command=issued command.

If the parameter value or command name exceeds the maximum AV Pair length of 255 characters, then the message is broken into multiple AV pairs as follows (this is a TACACS+ limitation):

  • attrname=attrvalue
  • attrname_continued=attrvalue_cont.

In addition to the field information, the TACACS+ logging message also contains some protocol-specific fields.

Note

For TACACS+ Authorization, all commands run in a single level of user access. The EdgeMarc does not support the use of TACACS+ to block access to pages or prevent a user from running operations such as Submit. 

TACACS+ and RADIUS

The EdgeMarc supports TACACS+ or Remote Authentication Dial In User Service (RADIUS), but not both simultaneously. If you attempt to enable TACACS+ while RADIUS is enabled, or vice versa, an error message is displayed, and the configuration is not applied.

If TACACS+ or RADIUS is enabled, but the system cannot communicate with the server (TACACS+ or RADIUS, respectively), the system reverts to administrator password authentication.

Using the TACACS+ Configuration Page

This section outlines how to use the TACACS+ configuration page.

Before you Begin

  1. Disable RADIUS on your system:
    1. Choose Admin > RADIUS Settings.
    2. Clear the Enable RADIUS checkbox.

    3. Click Submit.

      Note

      Refer to Configure RADIUS Settings for more information about managing RADIUS settings.

  2. By default, TACACS performs authentication on every page access. To prevent this, enable Session Management on the Session/User Management - Advanced page:
    1. Choose Users > Advanced or click the Session Management Configuration link provided on the TACACS+ Settings page and click Advanced.
    2. Select the Enable Session Management checkbox.
    3. Click Submit.
      Refer to Configure Session/User Management.

Configuring TACACS+ Settings

Configure a single TACACS+ entry for the system.

To Configure TACACS+ Settings

Note

You must relaunch your browser window for authentication changes to take effect.

  1. Choose Admin > TACACS Settings.

  2. Configure settings using the information in the following table as a guide.

    TACACS Settings

    ItemDescription

    Enable TACACS+ Authentication

    Select the Enable TACACS+ Authentication checkbox.

    Enable TACACS+ Logging

    If enabled, all configuration changes over HTTP, HTTPS, SSH, Telnet, and System Console are logged.

    Note: Enable TACACS+ Authentication and Enable TACACS+ Logging can be independently enabled.

    TACACS+ Server Address

    Enter the TACACS+ server IP address to contact for authentication.

    Shared Secret

    Displays whether a password for TACACS+ authentication requests has been set.

    Edit SecretSelect the Edit Secret checkbox to set the shared secret password.
    Shared SecretEnter a password for the TACACS+ request. The client and the server must have the same secret.

    Shared Secret (confirm)

    		Reenter the shared secret to confirm.

    Server Timeout (in seconds)

    		Enter the time in seconds that a TACACS+ server does not respond to a request and is deemed unavailable. The valid range is 1 to 100 seconds; the default is 5 seconds.

    TACACS+ Authentication Mode

    Select a TACACS+ authentication mode from the drop-down list:

    ASCII—The username is sent as part of the TACACS client request, and the password is sent as part of the continue message.

    Password Authentication Protocol (PAP)— Both username and password are sent as part of the request message.

    Challenge Handshake Authentication Protocol (CHAP)—The password calculates the response to a random challenge. Both the challenge and response are sent as part of the TACACS+ request message.

    Enable TACACS+ Logging

    Select the Enable TACACS+ Logging checkbox to enable logging for all configuration changes over HTTP, HTTPS, SSH, Telnet, and the system console.

  3. Click Submit to make your changes take effect.

  4. A message indicates that service will be temporarily interrupted. Click OK to confirm.

Disabling TACACS+ Services

This section outlines how to disable the TACACS+ services.

To Disable the TACACS+ Services

  1. To disable TACACS+ authentication, clear the Enable TACACS+ Authentication checkbox and click Submit.
  2. To disable TACACS+ logging, clear the Enable TACACS+ Logging checkbox and click Submit.