Required tacacs+ server settings, Setting up a tacacs+ server – HP 1.10GB Virtual Connect Ethernet Module for c-Class BladeSystem User Manual

Virtual Connect users and roles 71

Required TACACS+ server settings

The following TACACS+ server settings must be configured on VC to enable TACACS+-based

authentication:

•

Enable or disable flag

•

TACACS+ server IP address

•

TCP port number—the default (well-known) value for TACACS+ authentication is 49.

•

Shared secret key—this is a plain text key that must be configured both on VC and on the server. Both
keys should match. The length of the secret key can vary from 1 to 128 characters.

•

Timeout—the time in seconds by which a server response must be received, before any retry for a new
request is made. The valid range of values is from 1 to 65535 seconds.

•

Logging enabled or disabled flag—used to enable or disable TACACS+ command logging.

Setting up a TACACS+ server

The following procedure provides an example of setting up a TACACS+ server on an external host running

Linux.

1.

Download and install the latest version of the open-source Cisco TACACS+ server from the shrubbery
ftp site (

ftp://ftp.shrubbery.net/pub/tac_plus

).

2.

Add the shared-secret key for VC, a list of users, their passwords and member groups (can be
recursive), the VCM roles to be authorized for each user or group, in the server configuration file
/etc/tac_plus.conf. For example:

# set the secret key for client
host = 10.10.10.113 {
key = tac!@123 <------- Secret-key for 10.10.10.113
}

# users accounts
user = tacuser {
login = cleartext "password"
member = testgroup <------- Member of group "testgroup"
}

# groups
group = testgroup {
member = ALL_STAFF
service = hp-vc-mgmt {

<------- Service for

role-authorization
autocmd = network <------- Authorize privilege "network"
autocmd = domain <------- Authorize privilege "domain"
}
}

group = ALL_STAFF {
}