Command Line Interface Reference Guide > The Configuration Menu > /cfg/sys/tacacs TACACS+ Server Configuration Menu
/cfg/sys/tacacs
TACACS+ Server Configuration Menu
Alteon supports authentication and authorization with networks using the Cisco Systems® TACACS+ (Terminal Access Controller Access Control System) protocol. Alteon functions as the Network Access Server by interacting with the remote client and initiating authentication and authorization sessions with the TACACS+ access server. The remote user is defined as someone requiring management access to Alteon either through a data or management port.
TACACS+ offers the following advantages over RADIUS:
*TACACS+ uses TCP-based, connection-oriented transport, while RADIUS is UDP-based. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and timeouts to compensate for best-effort transport, but it lacks the level of built-in support that a TCP transport offers.
*TACACS+ offers full packet encryption, while RADIUS offers password-only encryption in authentication requests.
*TACACS+ separates authentication, authorization, and accounting.
*TACACS+ offers privilege level mapping. By enabling the cmap command, the privilege level can be increased from default 0-9 to 0-22.
*Alteon sends command log messages to the TACACS+ server when the clog command is enabled.
You can also display the privilege level of users who are logged in by issuing the who command.
 
[TACACS+ Server Menu]
prisrv - Set primary TACACS+ server address
secsrv - Set secondary TACACS+ server address
secret - Set primary TACACS+ server secret
secret2 - Set secondary TACACS+ server secret
port - Set TACACS+ TCP port
retries - Set TACACS+ server retries
timeout - Set TACACS+ server timeout (seconds)
clogname - Display accounting log name
clog - Enable/disable TACACS+ command logging
secbd - Enable/disable TACACS+ secure backdoor for telnet/ssh/http
cmap - Enable/disable TACACS+ new privilege level mapping
cauth - Enable/disable TACACS+ command authorization
     otp      - Enable/disable TACACS+ server OTP configuration
     local - Set local Authentication priority
on - Turn TACACS+ authentication ON
off - Turn TACACS+ authentication OFF
cur - Display current TACACS+ configuration
 
TACACS+ Server Menu Options (/cfg/sys/tacacs) 
Command Syntax and Usage
prisrv <IP address (v4 or v6)>
 
Defines the primary TACACS+ server address.
The following prompts appear when using this command:
Current primary TACACS+ server:
Enter new primary TACACS+ server (v4 or v6):
secsrv <IP address (v4 or v6)>
 
Defines the secondary TACACS+ server.
The following prompts appear when using this command:
Enter new secondary TACACS+ server (v4 or v6):
Secondary TACACS+ server address.
secret <1-32 character secret>
 
This is the shared secret between Alteon and the primary TACACS+ servers.
secret2 <1-32 character secret>
 
This is the shared secret between Alteon and the secondary TACACS+ servers.
port <TACACS+ port configure, default 49>
 
Enter the number of the TCP port to be configured.
Values: 1 – 65000
Default: 49
retries <TACACS+ server retries, 1-3>
 
Sets the number of failed authentication requests before switching to a different TACACS+ server.
Default: 3 requests
timeout <TACACS+ server timeout seconds, 1-15>
 
Sets the time before a TACACS+ server authentication attempt is considered to have failed.
Default: 4 seconds
secbd disable|enable
 
Enables or disables the TACACS secure backdoor.
*enabled —  Default admin can log in from the serial console, Telnet, SSH and WEB UI when the TACACS+ server is unavailable and /cfg/sys/access/user/admbd is enabled.
- notacacs can login via CLI using the pre-defined users passwords (see user/slbview/slboper/l4oper/oper/slbadmin/l4admin/admin) gaining the functionality available for the role of the accessed user. No Web UI access is available.
*disabled — There is no access to Alteon until the authorization servers are reachable again.
Default: disabled
cmap disable|enable
 
Specifies whether to enable TACACS+ new privilege level mapping.
When enabled, the privilege level is increased from 0 – 9 to 0 – 22.
Default: disabled
cauth disable|enable
 
Enables or disables TACACS+ command authorization.
Note: Command authorizations are supported only on CLI commands. (The list of authorized CLI commands are defined at the TACACS+ server.)
otp disable|enable
 
Enables or disables the TACACS+ server’s One Time Password (OTP) configuration. TACACS+ supports OTP when the server type attribute is received.
Default: disabled
clog disable|enable
 
Enables or disables TACACS+ command logging. When enabled, Alteon sends command log messages to the TACACS+ server when configured by user.
local
 
Specifies that Alteon should first search for the user in the Local User Table, and only if not found/authenticated there to connect to the remote authentication server.
Values: disable, enable
Default: disable
on
 
Enables the TACACS+ server
off
 
Disables the TACACS+ server
cur
 
Displays the current TACACS+ configuration parameters.