Configuring TACACS+ access
You set up TACACS+ server authentication in the Administration > Security: TACACS+ page.
TACACS+ is an authentication protocol that allows a remote access server to forward a login password for a user to an authentication server to determine whether access is allowed to a given system.
Enabling this feature is optional.
You can prioritize local, RADIUS, and TACACS+ authentication methods for the system and set the authorization policy and default user for RADIUS and TACACS+ authorization systems in the Administration > Security: General Security Settings page.
To set a TACACS+ server
1. Choose Administration > Security: TACACS+ to display the TACACS+ page.
TACACS+ page
2. Under Default TACACS+ Settings, complete the configuration using these controls:
– First hit option—When the first hit option is enabled, the Controller stops the query after the first rejection received from a TACACS+ server rather than continuing through all the TACACS+ servers in the list.
– Set a Global Default Key—Enables a global server key for the server.
– Global Key—Specify the global server key.
– Confirm Global Key—Confirms the global server key.
– Timeout—Specify the time-out period in seconds (1 to 60). The default value is 3.
– Retries—Specify the number of times you want to allow the user to retry authentication. Valid values are from 0 to 5. The default is 1.
3. Click Apply to apply your changes to the running configuration.
4. To add or remove a TACACS+ server, complete the configuration using these controls.
If you add a new server to your network and you don’t specify the values described below, the global settings are applied automatically.
– Add a TACACS+ Server—Displays the controls for defining a new TACACS+ server.
– Hostname or IP Address—Specify the hostname or server IP address.
– Authentication Port—Specify the port for the server. The default value is 49.
– Authentication Type—Select either PAP or ASCII as the authentication type. The default value is PAP.
– Override the Global Default Key—Specify this option to override the global server key for the server.
– Server Key—Specify the override server key.
– Confirm Server Key—Confirm the override server key.
– Timeout—Specify the time-out period in seconds (1 to 60). The default is 3.
– Retries—Specify the number of times you want to allow the user to retry authentication. Valid values are from 0 to 5. The default is 1.
– Enabled—Enables the new server.
– Add—Adds the TACACS+ server to the list.
– Remove Selected—Select the check box next to the name and click Remove Selected.
5. Click Save to Disk to save your settings permanently.