In this section:


Related articles:


Modified: for 12.1.4

Overview

Terminal Access Controller Access-Control System (TACACS) refers to a family of related protocols handling remote authentication and related services for network access control through a centralized server. TACACS Plus (TACACS+) has largely replaced its predecessors and is a separate protocol that handles authentication, authorization, and accounting (AAA) services. 

The SBC Core supports the TACACS+ protocol to allow the authentication of username/password information when logging into the SBC CLI or to access the Confd database using NETCONF. The SBC uses TCP/IP to communicate with the TACACS+ server.  

  • TACACS+ is similar to RADIUS in a number of ways.  Both are relatively insecure by today's cryptography standards since the TLS transport is not supported.
  • TACACS+ uses TCP for reliable communication, whereas RADIUS uses UDP.
  • TACACS+ separates out the Authorization functionality, while RADIUS combines both Authentication and Authorization functionality.

(The TACACS+ protocol is specified in RFC 8907 "The Terminal Access Controller Access-Control System Plus (TACACS+) Protocol")

Refer to TACACS Plus Authentication for additional details.

TACACS Plus Authentication

The SBC uses the OAM "TACACS Plus Authentication" configurable object to authenticate SBC and Network Configuration Protocol (NETCONF) users with a TACACS+ server.

Command Syntax

CLI Syntax: tacacsPlusAuthentication
% set oam tacacsPlusAuthentication 
	retryCriteria 
 		oosDuration <0-300>
		retryCount <1-3>
		retryTimer <500-45000>
	tacacsPlusGroupNames <Name>
		sbcGroupName <Name>
    tacacsPlusServer <Name>
		argumentNames <Argument name>
 			argumentValue <string>
			isMandatory <false | true>      	
		authenService <arap | fwproxy | login | nasi | none | ppp | pt | rcmd | x25>
		authenticationFailureOption <fail | trynext>
		authenticationType <chap | pap>
		bindToRemAddr <false | true>
		groupNameAttribute <string>
		port <name>
		priority <1-4>
		privilegeLevel <max | min | root | user>
		remAddr <string>
		secretKey <key>
		state <disabled | enabled>
		tacacsPlusServerAddress <IPv4/IPv6 address or FQDN>
		tacacsPlusServerPort <port number>

Command Parameters

High Level Command Parameters

Parameter

Length/Range

Description

retryCriteria

N/A

Use this parameter to control the behavior of the SBC TACACS+ client when authenticating errors occur with the TACACS+ server.

  • oosDuration – Specify the time in minutes the TACACS+ server remains out-of-service after a timeout. 
    (Range: 0-300 / Default = 60))
  • retryTimer –  Enter the time in milliseconds to elapse before the SBC attempts another authentication request.
    (Range: 500-45000 / Default = 1000)
  • retryCount – Enter the number of retries the SBC uses to attempt authentication.
    (Range: 1-3 / Default = 3)

tacacsPlusGroupNames

Up to 255 characters

<Name> – Enter the argument value returned from the TACACS+ query.

sbcGroupName <Name> – Enter the CLI group name to use for logging onto the CLI. 
(Length: 1-23 characters)

Examples:

  • Administrator
  • Calea
  • FieldService
  • Guest,Operator
  • SecurityAuditor
  • Or any configured custom groups

tacacsPlusServer

Up to 23 characters

<Name> – Enter the name of this TACACS+ server.

(See TACACS Plus Server Parameters table for configuration details)


TACACS Plus Server Parameters

The tacacsPlusServer parameters are described in detail below.

Parameter

Length/Range

Description

Mandatory

tacacsPlusServerUp to 23 characters<Name> – Enter the name of this TACACS+ server.Yes

argumentNames

Up to 255 characters

<Name> – Enter a valid TACACS+ name of the Argument Value Pair (AVP). The AVP contains the argument's name used to return the Group Name of the user previously authenticated.

  • argumentValue <string> – The actual value (Included in the request) to pass in this argument value pair. Enter a representation (Up to 255 characters) of the value being passed.

    Examples:

    • 22 
    • false 
    • Ribbon 
  • isMandatory – Is this AVP pair mandatory (i.e., supported by the TACACS+ server)?
    • false 
    • true 
Yes
authenServiceN/A

Enter the service that is requesting the authentication.

  • arap
  • fwproxy 
  • login (default)
  • nasi 
  • none 
  • ppp 
  • pt 
  • rcmd 
  • x25 
No
authenticationFailureOptionN/A

Use this parameter to choose the SBC's next action if authentication fails.

  • fail – (default) Fail the authentication attempt.
  • trynext – Try the next server according to the configured priority.

(This parameter is useful if the configured TACACS+ servers use different attributes or user names)

No
authenticationTypeN/A

The authentication type to use for this TACACS+ server.

  • chap
  • pap (default)
Yes
bindToRemAddrN/A

Set this flag to true to bind to the IP address specified in the remAddr to ensure the packet source address matches the remAddr.

  • false (default)
  • true 
No
groupNameAttributeN/AChoose the argument value pair name returned from the TACACS+ server containing the group name of the user logging on.Yes
portUp to 255 characters<name> –  The name of the client port on which the authentication is taking place.
(This has no relation to the tacacsPlusServerPort field)		Yes
priority1-4

Enter the priority of this TACACS+ server, with "1" representing the highest priority.

Note

The SBC tries the highest priority server first if that server is in service. If the highest priority server is not in service, the servers with priorities 2 through 4 are tried in order.


Yes
privilegeLevelN/A

The privilege level that the user is authenticating as.

  • max 
  • min 
  • root 
  • user (default)
Yes
remAddrUp to 255 characters

<string> – A string indicating the remote location from which the user has connected to the client.  This is roughly the address of the client.

Yes
secretKey

8-63 characters
(no spaces)

<key>  – Enter the TACACS+ shared secret key.Yes
stateN/A

Use this flag to set the state of this TACACS+ server.

  • disabled (default)
  • enabled 
No
tacacsPlusServerAddressIPv4/IPv6 address or FQDN<IP address or FQDN> – Enter the IPv4/IPv6 address or FQDN of the TACACS+ server.Yes
tacacsPlusServerPort1-65535

<Port number> – Enter the port number of the TACACS+server (Must be a valid TCP port number).

The default value is 49. 

No

Re-enable Server Action Command

Command Syntax

% request oam tacacsPlusAuthentication tacacsPlusServer <servername> reEnableServer

Command Parameter

CommandDescription
reEnableServerUse this command to reenable a TACACS+ server and set its status to available. The server is marked 'unavailable' when it is not reachable.