Specify TACACS+ Servers
Use the following procedure to specify one or more TACACS+ servers (daemons).
-
Access the
tacacs-serversconfiguration element.
ORACLE# configure terminal ORACLE(configure)# security ORACLE(security)# authentication ORACLE(authentication)# tacacs-servers ORACLE(tacacs-servers)#
-
Use the
address attribute to specify the IP address of this TACACS+ daemon.
ORACLE(tacacs-servers)# address 172.30.0.6 ORACLE(tacacs-servers)#
-
Use the
port attribute to identify the daemon port that receives TACACS+ client requests.
Provide a port number within the range 1025 through 65535, or retain the default value, 49, the well-known TACACS+ port.
ORACLE(tacacs-servers)# port 49 ORACLE(tacacs-servers)#
-
Use the
state attribute to specify the availability of this TACACS+ daemon.
Select enabled (the default) or disabled.
Only TACACS+ daemons that are in the enabled state are considered when running the server-selection algorithm.
ORACLE(tacacs-servers)# state enabled ORACLE(tacacs-servers)#
-
Use the
realm-id attribute to identify the realm that provides access to this TACACS+ deamon.
ORACLE(tacacs-servers)# realm-id accounting ORACLE(tacacs-servers)#
-
Retain the default value for the
authentication-methods attribute to specify support for all TACACS+ authentication methods (pap, chap, and ascii).
- ascii — simple login, the Session Director prompts user for username and password
- pap — similar to ascii method, but username and password are encapsulated in a PAP header
- chap — authentication based on a shared-secret, which is not passed during the authentication process
ORACLE(tacacs-servers)# authentication-methods all ORACLE(tacacs-servers)#
-
Use the
secret attribute to provide the shared-secret used by the TACACS+ client and the daemon to encrypt and decrypt TACACS+ messages. The identical shared-secret must be configured on associated TACACS+ clients and daemons.
Enter a 16-digit string, and ensure that the identical value is configured on the TACACS+ daemon.
ORACLE(tacacs-servers)# secret 1982100754609236 ORACLE(tacacs-servers)#
-
Use the
dead-time attribute to specify, in seconds, the quarantine period imposed upon TACACS+ daemons that become unreachable. Quarrantined servers are not eligible to participate in the server-selection algorithm.
Supported values are integers within the range 10 through 10000 seconds, with a default value of 10 .
ORACLE(tacacs-servers)# dead-interval 120 ORACLE(tacacs-servers)#
- Type done to save your configuration.
-
Repeat Steps 1 through 10 to configure additional TACACS+ daemons.
Note:
After configuring TACACS+ daemons, complete TACACS+ configuration by compiling a list of available deamons. -
From superuser mode, use the following command sequence to access authentication configuration mode.
ORACLE# configure terminal ORACLE(configure)# security ORACLE(security)# authentication ORACLE(authentication)#
-
Use the
management-servers attribute to identify one or more TACACS+ daemons available to provide AAA services.
Daemons are identified by IP address and must have been previously configured as described above.
The following example identifies three available TACACS+ daemons. Note that the list is delimited by left and right parentheses, and list items are separated by space characters.
ORACLE(tacacs-servers)# management-servers (172.30.0.6 172.30.1.8 172.30.2.10) ORACLE(tacacs-servers)#
The following example deletes the current list.
ORACLE(tacacs-servers)# management-servers () ORACLE(tacacs-servers)#