Using TACACS+ Authentication

Prev Next

You can use a TACACS+ server to authenticate users. When TACACS+ authentication is enabled, the Cisco Provider Connectivity Assurance Sensor Control supports Authentication and Authorization as configured on the TACACS+ server. A TACACS+ server can be useful if you want to centrally manage user accounts instead of managing them separately on each Sensor Control. A Sensor Control can be configured to connect to a second TACACS+ server, allowing for TACACS+ server redundancy.

Configuring TACACS+ Session Parameters

â–¶ To configure TACACS+ session parameters

  1. Access the page System â–¶ Session â–¶ TACACS+.

    The TACACS+ Configuration form displays.

  2. Complete the required fields, then click Apply.

    For information, see TACACS+ Configuration Parameters.

TACACS+ Configuration Parameters

This section describes the TACACS+ Configuration form parameters.

General

Parameter Description
Authentication Method Authentication method to be used by the TACACS+ server.

Available options:

  • PAP: Password Authentication Protocol
  • CHAP: Challenge-Handshake Authentication Protocol
  • ASCII: American Standard Code for Information Interchange
TACACS+ Timeout Lapse of time that the TACACS+ client will wait before retrying the connection, expressed in seconds.

After the specified number of retries has been exhausted, a connection to the next configured server will be attempted, for which the same timeout and retry scheme applies.

TACACS+ Retries Number of times to retry the server before attempting to connect to the next configured TACACS+ server.
Show Advanced Settings Select to display the TACACS+ Service Name and TACACS+ Privilege Level Attribute parameters.
TACACS+ Service Name Name of the service to pass to TACACS+ for authorization.

Appears when you select Show Advanced Settings.

Default value: shell

TACACS+ Privilege Level Attribute Attribute to extract from the authorization response to determine the privilege level of the user requesting authentication.

Appears when you select Show Advanced Settings.

Default value: priv-lvl

Server-1 / Server-2

Parameter Description
Host TACACS+ server's host-name or IP address.

Note: To disable this server, enter 0.0.0.0 or :: as the address.

Port TCP port on the TACACS+ server to connect to.
Secret Shared secret for this TACACS+ server.

Maximum length: 64 characters

Show Secret Select to display the shared secret for this TACACS+ server in plain text.
Source Address Optional bind address associated with this TACACS+ client.

Note: This parameter is only used when the TACACS+ server validates the address of the Sensor Control.

TACACS+ Server Configuration Examples

The following examples are configurations for the TACACS+ server, not for the Sensor Control. They can be applied to a tac_plus server; configuration values may differ for other servers.

Logging in is a two-part process. First, the user is authenticated. Once authenticated, the user may be authorized to gain rights on the system. The server should return AV (attribute-value) pairs for the requested service name.

The first attribute, the privilege level (usually priv-lvl), is evaluated first. This attribute is a numerical value that should be between 0 and 15. On this system, an attribute value of 15 grants Admin rights (All-show, All-Add, All-edit), and all other attribute values grant Viewer rights (All-show). If the specified attribute value is not found, the login attempt is refused because the AV pair was not supplied by the server.

The second attribute, the privilege list (accedian-priv-list), is subsequently evaluated. This attribute is an optional attribute, and is ignored if the privilege level is already set to 15 (Admin). The purpose of this attribute is to provide a fine-grained permissions mechanism. The permissions are the same as those that can be configured locally on the Sensor Control. The list of tokens is separated by commas. The case-sensitive tokens you indicate can be a mix of locally-defined user permission groups and individual privileges.


Note: You cannot view TACACS+ assigned permissions with the CLI or Webbased interface.

Following are configuration examples for the TACACS+ Server using these attributes.

â–¶ To assign a user to the built-in Admin group

user = tacadmin {
login = cleartext tacadmin
pap = cleartext tacadmin
name = "Test Admin"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 15
}
}

â–¶ To assign a user viewer-only privileges

user = tacviewer {
login = cleartext tacviewer
pap = cleartext tacviewer
name = "Test Tac Viewer"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 1
}
}

â–¶ To assign a user a customized set of privileges

user = taccfm {
login = cleartext taccfm
pap = cleartext taccfm
name = "Test Tac User CFM"
# 'shell' service referred to as 'exec'
# in the config
service = exec {
priv-lvl = 1
accedian-priv-list = CFM,PAA
}
}

If a user is authenticated by TACACS+, but no attributes are specified in the server configuration, the permissions will be set as follows:

  • If the username exists locally: Local permissions, as configured on the Sensor Control
  • If the username does not exist locally: Viewer-only permissions

© 2025 Cisco and/or its affiliates. All rights reserved.
 
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms

For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks