Setting the TACACS+ encryption key

The Set TACACS Key command sets the encryption key used to encrypt all data packets between the Sentry and the TACACS+ server. This key must match the key configured on the TACACS+ server.

To set the encryption key:

At the Sentry: prompt, type set tacacs key and press Enter.

At the TACACS+ Key: prompt, type a key of up to 60 alphanumeric and other typeable characters (ASCII 32 to 126 decimal). Keys are case sensitive. Press Enter. To specify no password, press Enter at the prompt.

At the Verify TACACS+ Key: prompt, retype the key. Press Enter. To verify no password, press Enter at the prompt.

Example

Sentry: set tacacs key<Enter>

TACACS+ Key: <Enter>

Verify TACACS+ Key: <Enter>

For security, key characters are not displayed.

NOTE: A key size of zero results in no encryption being applied which may not be supported by the TACACS+ server and is not recommended for a production environment.

Setting the authentication order

The Set Authorder command sets the authentication order for remote authentication sessions. The Sentry supports two methods for authentication order - Remote -> Local and Remote Only.

The Remote -> Local method first attempts authentication with the TACACS+ server and if unsuccessful with the local user database on the Sentry device.

The Remote Only method attempts authentication only with the TACACS+ server and if unsuccessful, access is denied.

NOTE: With the Remote Only method, if authentication fails due to a communication failure with the TACACS+ server automatic authentication fallback will occur to authenticate with the local user data base on the Sentry device.

To set the authentication order:

At the Sentry: prompt, type set authorder, followed by remotelocal or remoteonly and press Enter.

NOTE: Server Technology recommends NOT setting the authentication order to Remote Only until the TACACS+ has been fully configured and tested.

Displaying TACACS+ configuration information

The Show TACACS command displays TACACS+ configuration information.

Remote authentication order

Enabled-disabled status of LDAP support

Directory Services server IP address and domain components

Bind request password type

To display the LDAP configuration information:

At the Sentry: prompt, type show ldap and press Enter.

Example

The following command displays the LDAP configuration information:

TACACS+ Configuration

TACACS+: Disabled

Host IP1: 98.76.54.32

Host IP2: 0.0.0.0

TACACS+ Key: (Set)

Auth Order: Remote->Local

64 • Advanced Operations

Sentry PT22

 

Installation and Operations Manual