Required TACACS+ server settings

The following TACACS+ server settings must be configured on VC to enable TACACS+-based authentication:

Enable or disable flag

TACACS+ server IP address

Server SSL port number—the default (well-known) value for TACACS+ authentication is 49.

Shared secret server key—this is a plain text key that must be configured both on VC and on the server. Both keys should match. The length of the secret key can vary from 1 to 128 characters.

Timeout—the time in seconds by which a server response must be received, before any retry for a new request is made. The valid range of values is from 1 to 65535 seconds.

Setting up an IPv4-only TACACS+ server

The following procedure provides an example of setting up a TACACS+ server on an external host running Linux.

1.Download and install the latest version of the open-source Cisco TACACS+ server from the shrubbery ftp site (ftp://ftp.shrubbery.net/pub/tac_plus).

2.Add the shared-secret key for VC, a list of users, their passwords and member groups (can be recursive), and the VCM roles to be authorized for each user or group in the server configuration file

/etc/tac_plus.conf. For example:

#set the secret key for client

host = 10.10.10.113 {

key = tac!@123 <------- Secret-key for 10.10.10.113

}

#users accounts user = tacuser {

login = cleartext "password"

member = testgroup <------- Member of group "testgroup"

}

#groups

group = testgroup1 {

 

 

member = ALL_STAFF

 

 

service = hp-vc-mgmt {

<-------

Service for

role-authorization

 

 

autocmd = network <-------

Authorize privilege "network"

autocmd = domain <-------

Authorize privilege "domain"

}

 

 

}

 

 

group = testgroup2 {

 

 

member = ALL_STAFF

 

 

service = hp-vc-mgmt {

 

 

Virtual Connect users and roles 81