Enable TACACS+ Client Services

Use the following procedure to enable specific TACACS+ client AAA services.

  1. Access the authentication configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# authentication
ORACLE(authentication)#
  2. type — Configure this parameter to specify the authentication protocol. The default value is local. Specify tacacs to enable the TACACS+ AAA protocol.
    • diameter — DIAMETER authentication (not yet supported)
    • local — authentication determinations are referred to a local database (default)
    • radius — RADIUS authentication
    • tacacs — TACACS+ authentication
  3. tacacs-authorization — Configure this parameter to enable or disable command-based user authorization. The default value is enabled when the value of type is tacacs.
    • disabled
    • enabled (default)
  4. tacacs-authorization-arg-mode — Configure this parameter to enable or disable sending TACACS+ authorization commands and their arguments separately to the TACACS+ server. The default value is disabled.
    • disabled (default)
    • enabled
  5. tacacs-accounting — Configure this parameter to enable or disable accounting of admin ACLI operations. The default value is enabled when the value of type is tacacs.
    • disabled
    • enabled (default)
  6. server-assigned-privilege — Configure this parameter to enable or disable a proprietary TACACS+ variant that, after successful user authentication, adds an additional TACACS+ request/reply exchange. During the exchange, the Security Gateway requests the privilege level of the newly authenticated user. In response, the TACACS+ daemon returns the assigned privilege level, either user or admin. Set this attribute to enabled to initiate the proprietary variant behavior. User accounts are denied access to the enabled command, thus barring them from configuration level commands. The default value is disabled (no privilege level information is exchanged).
    • disabled (default)
    • enabled
  7. management-strategy — Configure this parameter to identify the selection algorithm used to choose among multiple available TACACS+ daemons. Retain the default value of hunt when only a single daemon is available.
    • hunt (default) — for the first transaction the Security Gateway selects the initially configured TACACS+ daemon. When that daemon is online and operational, the Security Gateway directs all AAA transactions to it. Otherwise, the Security Gateway selects the second-configured daemon. If the first and second daemons are offline or non-operational, the next-configured daemon is selected, and so on through the group of available daemons.
    • roundrobin — for the first transaction the Security Gateway selects the initially configured TACACS+ daemon. After completing the first transaction, it selects each daemon in order of configuration — in theory, evenly distributing AAA transactions to each daemon over time.
  8. Type done to save your configuration.
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents