Enable TACACS+ Client Services
Use the following procedure to enable specific TACACS+ client AAA services.
-
Access the
authentication configuration element.
ORACLE# configure terminal ORACLE(configure)# security ORACLE(security)# authentication ORACLE(authentication)#
-
type — Configure this parameter to specify the authentication protocol. The default value is
local. Specify
tacacs to enable the TACACS+ AAA protocol.
- diameter — DIAMETER authentication (not yet supported)
- local — authentication determinations are referred to a local database (default)
- radius — RADIUS authentication
- tacacs — TACACS+ authentication
-
tacacs-authorization
— Configure this parameter to enable or disable command-based user authorization. The default value is
enabled when the value of
type is
tacacs.
- disabled
- enabled (default)
-
tacacs-authorization-arg-mode — Configure this parameter to enable or disable sending TACACS+ authorization commands and their arguments separately to the TACACS+ server. The default value is
disabled.
- disabled (default)
- enabled
-
tacacs-accounting — Configure this parameter to enable or disable accounting of admin ACLI operations. The default value is
enabled when the value of
type is
tacacs.
- disabled
- enabled (default)
-
server-assigned-privilege — Configure this parameter to enable or disable a proprietary TACACS+ variant that, after successful user authentication, adds an additional TACACS+ request/reply exchange. During the exchange, the Security Gateway requests the privilege level of the newly authenticated user. In response, the TACACS+ daemon returns the assigned privilege level, either user or admin. Set this attribute to
enabled to initiate the proprietary variant behavior. User accounts are denied access to the
enabled command, thus barring them from configuration level commands. The default value is
disabled (no privilege level information is exchanged).
- disabled (default)
- enabled
-
management-strategy — Configure this parameter to identify the selection algorithm used to choose among multiple available TACACS+ daemons. Retain the default value of
hunt when only a single daemon is available.
- hunt (default) — for the first transaction the Security Gateway selects the initially configured TACACS+ daemon. When that daemon is online and operational, the Security Gateway directs all AAA transactions to it. Otherwise, the Security Gateway selects the second-configured daemon. If the first and second daemons are offline or non-operational, the next-configured daemon is selected, and so on through the group of available daemons.
- roundrobin — for the first transaction the Security Gateway selects the initially configured TACACS+ daemon. After completing the first transaction, it selects each daemon in order of configuration — in theory, evenly distributing AAA transactions to each daemon over time.
- Type done to save your configuration.