SteelHead™ Deployment Guide : Authentication, Security, Operations, and Monitoring : Configuring a TACACS+ Server
  
Configuring a TACACS+ Server
This section describes how to configure a TACACS+ server for the SteelHead. This section includes the following topics:
  • Configuring TACACS+ with Cisco Secure Access Control Servers
  • Configuring TACACS+ Authentication in the SteelHead
    • Configuring TACACS+ with Cisco Secure Access Control Servers
    This task requires that you are running a Cisco Secure Access Control Server (ACS) and you want to configure it for TACACS+.
    The TACACS+ Local User Service is rbt-exec. The Local User Name Attribute is local-user-name. This attribute controls whether a user who is not named admin or monitor is an administrator or monitor user (instead of using the SteelHead default value). For the SteelHead, the users listed in the TACACS+ server must have PAP authentication enabled.
    Use the following procedures to configure TACACS+ with Cisco Secure ACS.
  • To configure TACACS+ with Cisco ACS 4.x, go to http://supportkb.riverbed.com/support/index?page=content&id=S14831.
  • To configure TACACS+ with Cisco ACS 5.x, go to http://supportkb.riverbed.com/support/index?page=content&id=S:S16158.
    • Configuring TACACS+ Authentication in the SteelHead
    This section describes the basic steps for configuring TACACS+ authentication in the SteelHead. You prioritize TACACS+ authentication methods for the system and set the authorization policy and default user.
    For more information and detailed procedures, see the SteelHead Installation and Configuration Guide and the SteelHead Management Console User’s Guide.
    Make sure to put the authentication methods in the order in which you want authentication to occur. If authorization fails on the first method, the next method is attempted, and the order is continued until all the methods have been attempted.
    Perform the following basic steps to configure TACACS+ support.
    To configure TACACS+ support
    Add the IP address of the ACS server and specify the key used when you added the device to the ACS server.
    (config)# tacacs-server host 192.168.1.200 key rvbd
    Enable AAA.
    Define the authentication method.
    The following configuration attempts to use TACACS+ and then local:
    (config)# aaa authentication login default tacacs+ local