![]() |
• The OnBoard appliance’s administrator must configure the TACACS+ server on the OnBoard appliance. The administrator of the OnBoard appliance, must configure the TACACS+ authentication server for raw access. Table 5.6 lists two ways to perform the needed configuration.
OnBoard appliance command line cli> set auth tacplus service raccess
1. Add a definition for the group to the authentication authorization accounting (AAA) database on the TACACS+ server.NOTE: These additions can be made through a GUI. The example shows the configuration if a GUI is not available.
2. To the definition for each user, add the raccess service in the form service = raccess and assign the desired group to the user in the form member = group_name.NOTE: Each user may belong to only one group. To give a user administrative access to the OnBoard appliance, assign the admin group.
The following list defines the values that must be defined in the OnBoard appliance’s /etc/tacplus.conf file.
• authhost1: IP address of the TACACS+ authentication server. A second TACACS+ authentication server can be configured with the parameter authhost2.
• accthost1: IP address of a TACACS+ accounting server, which can be used to track how long users are connected after being authorized by the authentication server. Its use is optional. If this parameter is not defined, accounting is not be performed. If the same server is used for authentication and accounting, both parameters must be defined with the same address. A second TACACS+ accounting server can be configured with the parameter accthost2.
• secret: The shared secret (password) necessary for communication between the OnBoard appliance and the TACACS+ servers.
• retries: Defines the number of times a TACACS+ server is tried before another is contacted. The first server authhost1 is tried for the specified number of times, before the second authhost2, if configured, is contacted and tried for the specified number of times. If the second server fails to respond or if no second server is configured, TACACS+ authentication fails.
2.