TACACS+

The Sentry family of products supports the Terminal Access Controller Access Control System (TACACS+) protocol. This enables authentication and authorization with a central TACACS+ server; user accounts do not need to be individually created locally on each Sentry device.

This allows administrators to pre-define and configure (in each Sentry product, and in the TACACS+ server) a set of necessary TACACS+ privilege levels, and users access rights for each. User’s access rights can then be assigned or revoked simply by making the user a member of one-or-more pre-defined Sentry TACACS+ privilege levels. User account rights can be added, deleted, or changed within TACACS+ without any changes needed on individual Sentry products.

The Sentry supports 16 different TACACS+ privilege levels; 15 are entirely configurable by the system administrator (1 is reserved for default Admin level access to all Sentry resources).

TACAC+ Command Summary

Command

Description

Set Authorder

Specifies the authentication order for each new session attempt

 

 

Set TACACS

Enables/disables SSL support

 

 

Set TACACS HostIP

Sets the IP address of the TACACS server

 

 

Set TACACS Key

Sets the TACACS encryption key

 

 

Show TACACS

Displays TACACS configurations

 

 

Add GrouptoTACACS

Grants a TACACS account access to one or more groups

 

 

Add OutlettoTACACS

Grants a TACACS account access to one or all outlets

 

 

Add PorttoTACACS

Grants a TACACS account access to one or serial ports

 

 

Delete GroupfromTACACS

Removes access to one or more groups for a TACACS account

 

 

Delete OutlettoTACACS

Removes access to one or more outlets for a TACACS account

 

 

Delete PortfromTACACS

Removes access to one or more serial ports for a TACACS account

 

 

Set TacPriv Access

Sets the access level for a TACACS account

 

 

Set TacPriv Envmon

Grants or removes privileges to view input and environmental monitoring status

 

 

List TacPrivs

Displays access levels for all TACACS accounts

 

 

List TacPriv

Displays all accessible outlet/groups/ports for a TACACS account

Enabling and Setting up TACACS+ Support

There are a few configuration requirements for properly enabling and setting up TACACS+ support. Below is an overview of the minimum requirements:

1.Enable TACACS+ support.

2.Define the IP address and domain component of at least one TACACS+server.

3.Set the TACACS+ key configured on the supporting TACACS+server.

Enabling and disabling TACACS+ support

The Set TACACS command is used to enable or disable TACACS+ support.

To enable or disable TACACS+ support:

At the Sentry: prompt, type set tacacs, followed by enabled or disabled and press Enter.

Setting the TACACS+ server IP address

The Set TACACS HostIP command sets the TCP/IP address of the TACACS+ server.

To set the TACACS+ server IP address:

At the Sentry: prompt, type set tacacs, followed by hostip1 or hostip2 and the TACACS+ server’s IP address. Press Enter.

Example

The following command sets the primary TACACS+ server IP address to 98.76.54.32:

Sentry: set tacacs hostip1 98.76.54.32<Enter>

Sentry PT22

Advanced Operations • 63

Installation and Operations Manual