TACACS+ user configuration

When configured to use TACACS+ support, the IX14 device uses a remote TACACS+ server for user authentication (password verification) and authorization (assigning the access level of the user). Additional TACACS+ servers can be configured as backup servers for user authentication.

This section outlines how to configure a TACACS+ server to be used for user authentication on your IX14 device.

Example TACACS+ configuration

With TACACS+, users are defined in the server configuration file. On Ubuntu, the default location and filename for the server configuration file is /etc/tacacs+/tac_plus.conf.

Note TACACS+ configuration, including filenames and locations, may vary depending on your platform and installation. This example assumes a Ubuntu installation.

To define users:

  1. Open the TACACS+ server configuration file in a text editor. For example:
  2. $ sudo gedit /etc/tacacs+/tac_plus.conf
  3. Add users to the file using the following format. This example will create two users, one with admin and serial access, and one with only serial access.
  4. user = user1 {
    	name ="User1 for IX14"
    	pap = cleartext password1
    	service = system {
    	  groupname = admin,serial
    	}
    }
    user = user2 {
    	name ="User2 for IX14"
    	pap = cleartext password2
    	service = system {
    	  groupname = serial
    	}
    }

    The groupname attribute is optional. If used, the value must correspond to authentication groups configured on your IX14. Alternatively, if the user is also configured as a local user on the IX14 device and the LDAP server authenticates the user but does not return any groups, the local configuration determines the list of groups. See Authentication groups for more information about authentication groups. The groupname attribute can contain one group or multiple groups in a comma-separated list.

  5. Save and close the file.
  6. Verify that your changes did not introduce any syntax errors:
  7. $ sudo tac_plus -C /etc/tacacs+/tac_plus.conf -P

    If successful, this command will echo the configuration file to standard out. If the command encounters any syntax errors, a message similar to this will display:

    Error: Unrecognised token on line 1
  8. Restart the TACACS+ server:
  9. $ sudo /etc/init.d/tacacs_plus restart