Specify TACACS+ Servers
Use the following procedure to specify one or more TACACS+ servers (daemons).
-
Access the
tacacs-serversconfiguration element.
ORACLE# configure terminal ORACLE(configure)# security ORACLE(security)# authentication ORACLE(authentication)# tacacs-servers ORACLE(tacacs-servers)#
-
Use the
address attribute to
specify the IP address of this TACACS+ daemon.
ORACLE(tacacs-servers)# address 172.30.0.6 ORACLE(tacacs-servers)#
-
Use the
port attribute to
identify the daemon port that receives TACACS+ client requests.
Provide a port number within the range 1025 through 65535, or retain the default value, 49, the well-known TACACS+ port.
ORACLE(tacacs-servers)# port 49 ORACLE(tacacs-servers)#
-
Use the
state attribute to
specify the availability of this TACACS+ daemon.
Select enabled (the default) or disabled.
Only TACACS+ daemons that are in the enabled state are considered when running the server-selection algorithm.
ORACLE(tacacs-servers)# state enabled ORACLE(tacacs-servers)#
-
Use the
realm-id attribute
to identify the realm that provides access to this TACACS+ deamon.
ORACLE(tacacs-servers)# realm-id accounting ORACLE(tacacs-servers)#
-
Retain the default
value for the
authentication-methods
attribute to specify support for all TACACS+ authentication methods (pap, chap,
and ascii).
- ascii — simple login, the Oracle® Enterprise Session Border Controller (OCSBC) prompts user for username and password
- pap — similar to ascii method, but username and password are encapsulated in a PAP header
- chap — authentication based on a shared-secret, which is not passed during the authentication process
ORACLE(tacacs-servers)# authentication-methods all ORACLE(tacacs-servers)#
-
Use the
secret attribute to
provide the shared-secret used by the TACACS+ client and the daemon to encrypt
and decrypt TACACS+ messages. The identical shared-secret must be configured on
associated TACACS+ clients and daemons.
Enter a 16-digit string, and ensure that the identical value is configured on the TACACS+ daemon.
ORACLE(tacacs-servers)# secret 1982100754609236 ORACLE(tacacs-servers)#
-
Use the
dead-time attribute
to specify, in seconds, the quarantine period imposed upon TACACS+ daemons that
become unreachable. Quarrantined servers are not eligible to participate in the
server-selection algorithm.
Supported values are integers within the range 10 through 10000 seconds, with a default value of 10 .
ORACLE(tacacs-servers)# dead-interval 120 ORACLE(tacacs-servers)#
- Type done to save your configuration.
-
Repeat Steps 1
through 10 to configure additional TACACS+ daemons.
Note:
After configuring TACACS+ daemons, complete TACACS+ configuration by compiling a list of available deamons. -
From superuser
mode, use the following command sequence to access authentication configuration
mode.
ORACLE# configure terminal ORACLE(configure)# security ORACLE(security)# authentication ORACLE(authentication)#
-
Use the
management-servers
attribute to identify one or more TACACS+ servers available to provide AAA
services.
Servers are identified by IP address, participate in the configured management-strategy, and must have been previously configured as described above.
The following example identifies three available TACACS+ servers. The list is delimited by left and right parentheses, and list items are separated by space characters.
ORACLE(authentication)# management-servers (172.30.0.6 172.30.1.8 172.30.2.10) ORACLE(authentication)#
The following example deletes the current list.
ORACLE(authentication)# management-servers () ORACLE(authentication)#