Specify TACACS+ Servers

Use the following procedure to specify one or more TACACS+ servers (daemons).

1. Access the tacacs-serversconfiguration element.

   ORACLE# configure terminal
   ORACLE(configure)# security
   ORACLE(security)# authentication
   ORACLE(authentication)# tacacs-servers
   ORACLE(tacacs-servers)# 

2. Use the address attribute to specify the IP address of this TACACS+ daemon.

   ORACLE(tacacs-servers)# address 172.30.0.6
   ORACLE(tacacs-servers)#

3. Use the port attribute to identify the daemon port that receives TACACS+ client requests.

   Provide a port number within the range 1025 through 65535, or retain the default value, 49, the well-known TACACS+ port.

   ORACLE(tacacs-servers)# port 49
   ORACLE(tacacs-servers)#

4. Use the state attribute to specify the availability of this TACACS+ daemon.

   Select enabled (the default) or disabled.

   Only TACACS+ daemons that are in the enabled state are considered when running the server-selection algorithm.

   ORACLE(tacacs-servers)# state enabled
   ORACLE(tacacs-servers)#

5. Use the realm-id attribute to identify the realm that provides access to this TACACS+ deamon.

   ORACLE(tacacs-servers)# realm-id accounting
   ORACLE(tacacs-servers)#

6. Retain the default value for the authentication-methods attribute to specify support for all TACACS+ authentication methods (pap, chap, and ascii).
   • ascii — simple login, the Oracle® Enterprise Session Border Controller (OCSBC) prompts user for username and password
   • pap — similar to ascii method, but username and password are encapsulated in a PAP header
   • chap — authentication based on a shared-secret, which is not passed during the authentication process

   ORACLE(tacacs-servers)# authentication-methods all
   ORACLE(tacacs-servers)#

7. Use the secret attribute to provide the shared-secret used by the TACACS+ client and the daemon to encrypt and decrypt TACACS+ messages. The identical shared-secret must be configured on associated TACACS+ clients and daemons.

   Enter a 16-digit string, and ensure that the identical value is configured on the TACACS+ daemon.

   ORACLE(tacacs-servers)# secret 1982100754609236
   ORACLE(tacacs-servers)#

8. Use the dead-time attribute to specify, in seconds, the quarantine period imposed upon TACACS+ daemons that become unreachable. Quarrantined servers are not eligible to participate in the server-selection algorithm.

   Supported values are integers within the range 10 through 10000 seconds, with a default value of 10 .

   ORACLE(tacacs-servers)# dead-interval 120
   ORACLE(tacacs-servers)#

9. Type done to save your configuration.
10. Repeat Steps 1 through 10 to configure additional TACACS+ daemons.

    Note:

    After configuring TACACS+ daemons, complete TACACS+ configuration by compiling a list of available deamons.
11. From superuser mode, use the following command sequence to access authentication configuration mode.

    ORACLE# configure terminal
    ORACLE(configure)# security
    ORACLE(security)# authentication
    ORACLE(authentication)#

12. Use the management-servers attribute to identify one or more TACACS+ servers available to provide AAA services.

    Servers are identified by IP address, participate in the configured management-strategy, and must have been previously configured as described above.

    The following example identifies three available TACACS+ servers. The list is delimited by left and right parentheses, and list items are separated by space characters.

    ORACLE(authentication)# management-servers (172.30.0.6 172.30.1.8 172.30.2.10)
    ORACLE(authentication)#

    The following example deletes the current list.

    ORACLE(authentication)# management-servers ()
    ORACLE(authentication)#