Tripp Lite B0930082E4U Owners Manual for B093- B097- and B098-Series Console S - Page 169

TACACS Authentication

Get Tripp Lite B0930082E4U PDF manuals and user guides View all Tripp Lite B0930082E4U manuals
Add to My Manuals
Save this manual to your list of manuals

Page 169 highlights

9. Authentication 9.1.2 TACACS Authentication Perform the following procedure to configure the TACACS+ authentication method used whenever the console server or any of its serial ports or hosts is accessed: • Select Serial and Network > Authentication and check TACAS, LocalTACACS, TACACSLocal or TACACSDownLocal. • Enter the Server Address (IP or host name) of the remote authentication/authorization server. Multiple remote servers may be specified in a comma-separated list. Each server is tried in succession. • Session accounting is on by default. If session accounting information is not desired, check the Disable Accounting checkbox. One reason often cited for not wanting session accounting is, if the authentication server does not respond to accounting requests, the said request may introduce a delay when logging in. • In addition to multiple remote servers, you can also enter separate lists of authentication/authorization servers and accounting servers. If no Accounting servers are specified, the authentication/authorization servers are used. • Enter and confirm the Server Password. Then select the method to be used to authenticate to the server (defaults to PAP). To use DES encrypted passwords, select Login. • If required, enter the TACACS Group Membership Attribute to be used to indicate group memberships (defaults to groupname#n). • If required, specify the TACACS Service used to authenticate. This determines which set of attributes are returned by the server (defaults to raccess). • If required, check Default Admin Privileges to give all TACAS+ authenticated users administrator privileges. Use Remote Groups must also be checked for these privileges to be granted. • The TACACS Privilege Level feature only applies to TACACS remote authentication. When Ignore Privilege Level is enabled, the priv-lvl setting for all of the users defined on the TACACS AAA server will be ignored. Note: A Tripp Lite device normally interprets a user with a TACACS priv-lvl of 12 or above as an administrator. There is a special case where a user with a priv-lvl of 15 is also given access to all configured serial ports. When the Ignore Privilege Level option is enabled (checked in the UI), there are no escalations of privileges based on the priv-lvl value from the TACACS server. If the only thing configured for one or more TACACS users is priv-lvl (e.g., no specific port access or group memberships set), console server access will be revoked for those users, as they will not be a member of any groups, even if the Retrieve Remote groups option in the Authentication menu is enabled. 169

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
169
9. Authentication
9.1.2 TACACS Authentication
Perform the following procedure to configure the TACACS+ authentication method used whenever the console server or any of
its serial ports or hosts is accessed:
• Select
Serial and Network > Authentication
and check
TACAS, LocalTACACS, TACACSLocal
or
TACACSDownLocal
.
• Enter the
Server Address
(IP or host name) of the remote authentication/authorization server. Multiple remote servers may
be specified in a comma-separated list. Each server is tried in succession.
• Session accounting is on by default. If session accounting information is not desired, check the
Disable Accounting
checkbox. One reason often cited for not wanting session accounting is, if the authentication server does not respond to
accounting requests, the said request may introduce a delay when logging in.
• In addition to multiple remote servers, you can also enter separate lists of authentication/authorization servers and
accounting servers. If no Accounting servers are specified, the authentication/authorization servers are used.
• Enter and confirm the
Server Password
. Then select the method to be used to authenticate to the server (defaults to
PAP
).
To use DES encrypted passwords, select
Login
.
• If required, enter the
TACACS Group Membership Attribute
to be used to indicate group memberships (defaults to
groupname#n
).
• If required, specify the
TACACS Service
used to authenticate. This determines which set of attributes are returned by the
server (defaults to
raccess
).
• If required, check
Default Admin Privileges
to give all TACAS+ authenticated users administrator privileges.
Use Remote
Groups
must also be checked for these privileges to be granted.
• The TACACS
Privilege Level
feature only applies to TACACS remote authentication. When
Ignore Privilege Level
is
enabled, the
priv-lvl
setting for all of the users defined on the TACACS AAA server will be ignored.
Note:
A Tripp Lite device normally interprets a user with a TACACS priv-lvl of 12 or above as an administrator. There is a special case where
a user with a priv-lvl of 15 is also given access to all configured serial ports. When the
Ignore Privilege Level
option is enabled (checked in
the UI), there are no escalations of privileges based on the priv-lvl value from the TACACS server.
If the only thing configured for one or more TACACS users is priv-lvl (e.g., no specific port access or group memberships set), console
server access will be revoked for those users, as they will not be a member of any groups, even if the Retrieve Remote groups option in the
Authentication menu is enabled.