Configure TACACS+ Authentication

1. Under CONFIGURE > USER MANAGEMENT > Remote Authentication, select TACACS+ from the Mode drop-down menu.
   
   

2. Select the preferred TACACS+ Remote Authentication policy to be applied:

   • TACACS+ DownLocal: Users are authenticated through their local account only if the remote AAA server is unreachable or down. If the credentials provided at log in are incorrect or if the account does not exist on the remote server, the user is denied access.

   • TACACS+ Local: If remote authentication fails because the user account does not exist on the remote AAA server, the OM attempts to authenticate the user using a local account as per a regular local log in.

3. Enter the authentication Timeout value to apply.
   
   The timeout value specifies the number of seconds to wait for a response from the server before trying the next server.

   Note: The timeout value is global and applied to all authentication methods when you set the value on one authentication method.

4. Add the Address and optionally the Port of the TACACS+ authentication server to query.

5. Select the Log in Method.  PAP is the default method. However, if the server uses DES-encrypted passwords, select Login.

6. Add and confirm the Server password, also known as the TACACS+ Secret.

7. Add the Service. This determines the set of attributes sent back by the TACACS+ server

   Note: Multiple servers can be added. The TACACS+ subsystem queries them in a round-robin fashion.

user = operator1 {

    service = raccess {

        groupname = west_coast_admin,east_cost_user

    }

}

8. Enable or Disable Remote Accounting.
   
   TACACS Accounting is enabled by default, the Remote Auth Server is used as the Accounting server. However, one or more Accounting Servers can be specified.

   1. To disable Remote Accounting, select Disable

   2. To enable Remote Accounting, select Enable.
      
      

9. Click Apply.

Note: For Cisco ACS, see Setting up permissions with Cisco ACS 5 and TACACS+ on the Opengear Help Desk.