Required tacacs+ server settings, Setting up a tacacs+ server – HP 1.10GB Virtual Connect Ethernet Module for c-Class BladeSystem User Manual
Page 71
Virtual Connect users and roles 71
Required TACACS+ server settings
The following TACACS+ server settings must be configured on VC to enable TACACS+-based
authentication:
•
Enable or disable flag
•
TACACS+ server IP address
•
TCP port number—the default (well-known) value for TACACS+ authentication is 49.
•
Shared secret key—this is a plain text key that must be configured both on VC and on the server. Both
keys should match. The length of the secret key can vary from 1 to 128 characters.
•
Timeout—the time in seconds by which a server response must be received, before any retry for a new
request is made. The valid range of values is from 1 to 65535 seconds.
•
Logging enabled or disabled flag—used to enable or disable TACACS+ command logging.
Setting up a TACACS+ server
The following procedure provides an example of setting up a TACACS+ server on an external host running
Linux.
1.
Download and install the latest version of the open-source Cisco TACACS+ server from the shrubbery
ftp site (
ftp://ftp.shrubbery.net/pub/tac_plus
).
2.
Add the shared-secret key for VC, a list of users, their passwords and member groups (can be
recursive), the VCM roles to be authorized for each user or group, in the server configuration file
/etc/tac_plus.conf. For example:
# set the secret key for client
host = 10.10.10.113 {
key = tac!@123 <------- Secret-key for 10.10.10.113
}
# users accounts
user = tacuser {
login = cleartext "password"
member = testgroup <------- Member of group "testgroup"
}
# groups
group = testgroup {
member = ALL_STAFF
service = hp-vc-mgmt {
<------- Service for
role-authorization
autocmd = network <------- Authorize privilege "network"
autocmd = domain <------- Authorize privilege "domain"
}
}
group = ALL_STAFF {
}