Configure TACACS+ Authentication Service
TACACS+ authentication is an optional method for users to log into the
PacketShaper browser interface and command-line interface.
Using third-party TACACS+ servers enables you to have central configuration
of user accounts.
In addition to configuring the server as described below, you need to
do some configuration at the TACACS+
server so that it will work with PacketShaper. (See Configure Linux TACACS+ Servers using the Cisco TACACS+ Daemon for an example.)
Note that the server you configure for TACACS+ authentication will also be used for authorization.
To configure PacketShaper to work with a TACACS+ authentication server:
1. Click the Setup tab.
2. From the Choose Setup Page list, choose
TACACS+ Client. The TACACS+ Client Settings screen appears.
3. In the Authentication field, select on.
4. Select an Authentication method:
- ASCII (American Standard Code for Information Interchange): With ASCII, the user name
and password are transmitted in clear, unencrypted text. This is the default authentication method.
- PAP (Password Authentication Protocol): With PAP, the user name
and password are transmitted in clear, unencrypted text. If you select the PAP authentication method, Symantec recommends you increase security by logging into the PacketShaper browser interface via HTTPS. ASCII or PAP authentication is required for TACACS+ configurations that require access to clear
text passwords (for example, when passwords are stored and maintained in a database
external to the TACACS+ server).
- CHAP (Challenge Handshake Authentication Protocol): In other environments, CHAP may be preferred
for greater security. The TACACS+ server sends a challenge that consists of a session ID and an arbitrary challenge string, and the user name and password are encrypted before they are sent back to the server.
- MS-CHAP (Microsoft Challenge Handshake Authentication Protocol): This protocol is similar to CHAP, but with MS-CHAP authentication, the TACACS+ server can store an encrypted version of a user password to validate the challenge response. Standard CHAP authentication requires that the server stores unencrypted passwords. If you select the MS-CHAP authentication method, Symantec recommends you increase security by logging into the PacketShaper browser interface via HTTPS.
Note: MS-CHAP v1 and v2 are supported. PacketShaper attempts authentication with MS-CHAP v2 first. If the remote server doesn't support v2 or if authentication is denied, PacketShaper re-attempts authentication with MS-CHAP v1. When you change the TACACS+ authentication method for a PolicyCenter sharable configuration via the PolicyCenter browser interface, TACACS+ authentication returns to the default "off" setting for that configuration. If you change the authentication method via PolicyCenter browser interface, be sure to also reenable the TACACS+ authentication feature before you apply the changes.
Limitation: PacketShaper SSH and serial console connections do not support the PAP, MS-CHAP, and CHAP authentication methods with TACACS+. Regardless of which method the PacketShaper is configured to use for TACACS+ authentication, ASCII will be used when logging in to the CLI with SSH or serial console. Note that this limitation does not apply when logging in to the web UI: the configured method will be used during authentication.
5. In the Primary Authentication Host field,
enter the IP address or DNS name of the TACACS+ server.
6. Optional: To access the TACACS+ server with
a specific port, enter a number in the Port field.
If the field is left blank, the default port (49) will be
7. In the Shared Secret field, enter the designated
8. Optional: Specify a Secondary Authentication
Host to use in case the primary TACACS+ server is not accessible or failed to authenticate. Be
sure to specify its Shared Secret as well.
9. If necessary, adjust the Timeout interval.
By default, PacketShaper waits 10 seconds for a response from the TACACS+ server before
the login fails. You can select
a value between 1 and 60 seconds.
10. Click apply changes.
After you have configured a TACACS+ authentication server, users will
be prompted for a user name and password when logging into PacketShaper.
For more information, see Log In and Out with TACACS+.
Note: Starting in PS 11.10.3, if the TACACS+ primary server has an authentication failure, PacketShaper attempts to log onto a configured secondary server; in earlier versions, PacketShaper attempted to log onto the secondary server only when the primary server had a connection failure and failed to respond.