TACACS+ configuration

1. In the Settings Pane, select > USERS & ACCOUNTS > Remote Authentication. 
   The REMOTE AUTHENTICATION page displays.

2. From the Scheme options, select TACACS+.

3. Select the required Mode:

   • TACACS+DownLocal

   • TACACS+Mode

   • LocalTACACS+

   • TACACS+Local

4. Enter the Address and optionally the Port of the Remote Authentication Server to query.
   The default port is 49.

   Note: Click Add Authentication Server to add multiple servers. The TACACS+ subsystem queries them in a round-robin fashion.

5. Select the TACACS+ login methodto set the method used to authenticate to the server.
   The default selection is PAP. To use DES encrypted passwords, select Login.

6. Enter and confirm the Server Password, also known as the TACACS+ Secret.

7. Enter the TACACS+ service.
   This determines which set of attributes are returned by the server. Defaults to "raccess".

8. Click Apply.

To provide group membership, TACACS+ must be configured to provide a list of group names. The following configuration snippet shows how this can be configured for a tac_plus server:

user = operator1 {
      service = raccess {
            groupname = west_coast_admin,east_cost_user
      }
}

To do this with Cisco ACS, see Setting up permissions with Cisco ACS 5 and TACACS+ on the Opengear Help Desk.