Administration Tasks Not Performed in the Web Manager : Configuring Groups for Use with Authentication Servers : Configuring group authorization for TACACS+ authentication

Configuring group authorization for TACACS+ authentication
The two tasks listed below must be done to configure groups for TACACS+ authentication.
The OnBoard appliance’s administrator must configure the TACACS+ server on the OnBoard appliance. The administrator of the OnBoard appliance, must configure the TACACS+ authentication server for raw access. Table 5.6 lists two ways to perform the needed configuration.
NOTE: Make sure to check the Enable Raccess Authorization checkbox.
OnBoard appliance command line
The following cycli utility command line can also be used to configure a server for raw access:
cli> set auth tacplus service raccess
To assign a group to a user on the TACACS+ server:
1.
NOTE: These additions can be made through a GUI. The example shows the configuration if a GUI is not available.
2.
NOTE: Each user may belong to only one group. To give a user administrative access to the OnBoard appliance, assign the admin group.
Configuring a TACACS+ authentication server on the OnBoard appliance
The following list defines the values that must be defined in the OnBoard appliance’s /etc/tacplus.conf file.
authhost1: IP address of the TACACS+ authentication server. A second TACACS+ authentication server can be configured with the parameter authhost2.
accthost1: IP address of a TACACS+ accounting server, which can be used to track how long users are connected after being authorized by the authentication server. Its use is optional. If this parameter is not defined, accounting is not be performed. If the same server is used for authentication and accounting, both parameters must be defined with the same address. A second TACACS+ accounting server can be configured with the parameter accthost2.
retries: Defines the number of times a TACACS+ server is tried before another is contacted. The first server authhost1 is tried for the specified number of times, before the second authhost2, if configured, is contacted and tried for the specified number of times. If the second server fails to respond or if no second server is configured, TACACS+ authentication fails.
To configure a TACACS+ authentication server on the OnBoard appliance:
1.
1.
2.
NOTE: To configure group access on the TACACS+ authentication server, service must be defined as raccess.
3.
5