1. Security Guide
  2. Security Features
  3. Configuring AAA Integration

Configuring AAA Integration

The SBC supports RADIUS and TACACS+.

SSH RADIUS Authentication

The SBC management interface sends RADIUS requests containing login authentication and authorization data to remote RADIUS servers.

The SBC supports the use of the Cisco Systems Inc.™ “Cisco-AVPair” vendor specific attribute (VSA). The Vendor-ID is 1 and the Vendor-Type is 9. This attribute allows for successful administrator login to servers that do not support the Oracle authorization VSA. While using RADIUS-based authentication, the SBC authorizes you to enter Superuser mode locally even when your RADIUS server does not return the ACME_USER_CLASS VSA or the Cisco-AVPair VSA.

All management stations used for SSH access should have a permit ACL configured. An ACL should also be configured to allow RADIUS traffic to the RADIUS server.

For more information, see Section 4 “System Management” of the Maintenance and Troubleshooting Guide.

TACACS+

TACACS+ is a protocol that was originally developed by Cisco Systems. It provides functions for authentication, authorization, and encryption of the administrative traffic. Unlike RADIUS, it separates authentication and authorization functions. The SBC acts as a TACACS+ client.

The SBC uses TACACS+ services to provide administrative authorization. With TACACS+ authorization enabled, each individual ACLI command issued by an admin user is authorized by the TACACS+ authorization service. The SBC replicates each ACLI command in its entirety, sends the command string to the authorization service, and suspends command execution until it receives an authorization response. If TACACS+ grants authorization, the pending command is executed; if authorization is not granted, the SBC does not execute the ACLI command, and displays an appropriate error message.

All management stations used for SSH access should have a permit ACL configured. An ACL should also be configured to allow TACACS+ traffic to the Network Access Server. TACACS+ is disabled by default.

Refer to “TACACS+ AAA” in Section 2 “Getting Started” of the ACLI Configuration Guide.