Other services / TACACS+
Parent topic: TACACS+

Configuring the TACACS+ parameters

The parameters for configuring TACACS+ are to be found under:

Command line: Setup > TACACS+

Accounting
Activates accounting via TACACS+ server. If TACACS+ accounting is activated, all accounting data is transmitted via TACACS+ protocol to the configured TACACS+ server. Possible values:
  • Activated, deactivated
Default
  • Disabled
Important: TACACS+ accounting will only activate if the defined TACACS+ server is available.
Authentication
Following the introduction of authentication via RADIUS, this menu item has been deprecated. Authentication via TACACS+ is now enabled under Setup > Config > Authentication. If TACACS+ authentication is activated, all authentication data is transmitted via TACACS+ protocol to the configured TACACS+ server.
Important: TACACS+ authentication will only activate if the defined TACACS+ server is available. Fallback to local users is only possible if a root password has been set for the device. The fallback to local users must be deactivated for devices without a root password. Otherwise a failure of the network connection (TACACS+ server unavailable) would make the device accessible without a password.
Authorization
Activates authorization via TACACS+ server. If TACACS+ authorization is activated, all authorization data is transmitted via TACACS+ protocol to the configured TACACS+ server. Possible values:
  • Activated, deactivated
Default
  • Disabled
Important: TACACS+ authorization will only activate if the defined TACACS+ server is available. If TACACS+ authorization is activated, the TACACS+ server will be queried for authorization each time a user enters a command. Data traffic during configuration will increase correspondingly. Also, the user rights must be defined in the TACACS+ server.
Fallback to local users
Should the defined TACACS+ server be unavailable, it is possible to fallback to local user accounts on the device. This allows for access to the device even if the TACACS+ connection should fail, e.g. when deactivating the usage of TACACS+ or for correcting the configuration. Possible values:
  • Allowed, prohibited
Default
  • Allowed
Important: The fallback to local user accounts presents a security risk if no root password is set for the device. For this reason, TACACS+ authentication with fallback to local user accounts can only be activated if a root password has been set. If no root password is set, access to the device configuration can be blocked for security reasons if no connection is available to the TACACS+ server. In this case, the device may have to be reset to its factory settings in order to regain access to the configuration.
Shared Secret
The password for encrypting the communications between NAS and TACACS+ servers. Possible values:
  • 31 alphanumerical characters
Default
  • Blank
Important: The password must be entered identically into the device and the TACACS+ server. We recommend that you do not operate TACACS+ without encryption.
SNMP-GET-Requests-Accounting
Numerous network management tools use SNMP for requesting information from network devices. LANmonitor also uses SNMP to access the devices to display information about current connections, etc., or to execute actions such as disconnecting a connection. SNMP can be used to configure devices. For this reason TACACS+ requires authentication for SNMP access requests. Since LANmonitor regularly queries these values, a large number of unnecessary TACACS+ connections would be established. If authentication, authorization and accounting by TACACS+ are activated, then each request would initiate three sessions with the TACACS+ server. This parameter allows the regulation of the behavior of devices with regard to SNMP access in order to reduce the number of TACACS+ sessions required for accounting. Authentication via the TACACS+ server remains necessary if authentication for TACACS+ is activated generally.
Note: Entering a read-only community under Setup > SNMP also enables authentication by TACACS+ to be deactivated for LANmonitor. The read-only community defined here is then entered into LANmonitor as a user name.
Possible values:
  • only_for_SETUP_tree: With this setting, accounting via TACACS+ server is only required for SNMP access via the setup branch of LCOS.
  • All: With this setting, accounting by TACACS+ server will be carried out for every SNMP access. In case of regular request for status information, for example, the load on the TACACS+ server will increase significantly.
  • None: With this setting, accounting by TACACS+ server will not be carried out for SNMP accesses.
Default:
  • only_for_SETUP_tree
SNMP-GET-Requests-Authorisation
This parameter allows the regulation of the behavior of devices with regard to SNMP access in order to reduce the number of TACACS+ sessions required for authorization. Authentication via the TACACS+ server remains necessary if authentication for TACACS+ is activated generally. Possible values:
  • only_for_SETUP_tree: With this setting, authorization via TACACS+ server is only required for SNMP access via the setup branch of LCOS.
  • All: With this setting, authorization by TACACS+ server will be carried out for every SNMP access. In case of regular request for status information, for example, the load on the TACACS+ server will increase significantly.
  • None: With this setting, authorization by TACACS+ server will not be carried out for SNMP accesses.
Default:
  • only_for_SETUP_tree
Encryption
Activates or deactivates the encryption of communications between NAS and TACACS+ servers. Possible values:
  • Activated, deactivated
Default
  • Activated
Important: We recommend that you do not operate TACACS+ without encryption. If encryption is activated here, the password for encryption entered here must match with the password on the TACACS+ server.
Parent topic: TACACS+

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo