TACACS+ Authentication
Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol that handles authentication, authorization, and accounting (AAA) services. SecureSync supports pam_tacplus, allowing users to validate their username/password when logging into SecureSync via a TACACS+ server. Currently, http/https/ssh/telnet/ftp protocols are supported, i.e. you can login to a SecureSync unit using TACACS+ authentication via applications using any of these protocols.
Note: Your TACACS+ files will need to have either a pap
or global
user attribute. SecureSync does not authenticate tacacs.conf
files with the default login
user attribute.
Caution: In order to utilize TACACS+ authentication, the account username on the TACACS+ server must NOT be used with a local user account.
Example:
A user with the username user3 on the TACACS+ server will not be able to login to a SecureSync unit, if on that unit a local user account with the username user3 exists. However, once the user deleted the local user3 account, she will be able to login with the TACACS+ user3 account.
Sources of general reference information on TACACS+:
- https://en.wikipedia.org/wiki/TACACS
- http://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html
- https://github.com/jeroennijhof/pam_tacplus
See also RADIUS Authentication
Enabling/Disabling TACACS+
To enable or disable the use of TACACS+ authentication on a SecureSync unit:
- In the Web UI, navigate to MANAGEMENT > OTHER: Authentication.
- In the Actions panel on the left, click TACACS+. The TACACS+ Setup window will be displayed.
- Check the box labeled HTTP/HTTPS if you want to enable TACACS+, or uncheck the box if you want to disable TACACS+.
- Click Submit.
Adding/Removing a TACACS+ Server
To add a TACACS+ authentication server, or remove a server from the list:
- Navigate to MANAGEMENT > OTHER: Authentication.
- In the Actions panel on the left, click TACACS+ Setup. The TACACS+ Setup window will be displayed:
- Fill out the fields:
- Host: The hostname or IP address of the TACACS+ server
- Port: Defines the TACACS+ Port to use.
- Secret Key: The same encryption key as used on the TACACS+ server.
- Click the Add Server button. A confirmation message The item has been added will be displayed if the server could be added, and the server will be added to the list. The server status can be:
- DISABLED: The TACACS+ service is disabled.
- UNREACHABLE: This TACACS+ server cannot be reached.
- REACHABLE: This TACACS+ server can be reached.
- To remove a TACACS+ server from the list, click the X-button in the Actions column.
Note: SecureSync supports multiple TACACS+ servers. The system performance, however, will be negatively affected by a large number of servers or invalid servers, respectively.