3.112. <ServerTACACSPLUS> Previous topic Parent topic Child topic Next topic

This clause tells Radiator to act as a Tacacs+ server (as well as a RADIUS server).
Tacacs+ is an older Authentication, Authorisation and Accounting (AAA) protocol developed by Cisco, and supported by some Cisco devices. It uses TCP connections between the client (usually some kind of router) and the Tacacs+ server. Newer Cisco devices generally support both RADIUS and Tacacs+, or perhaps just RADIUS. While some older Cisco devices only support Tacacs+. In addition, there are some Cisco security facilities that are only available through Tacacs+.
The <ServerTACACSPLUS> clause handles Tacacs+ Authentication, Authorisation and Accounting requests in the following way:
By default Radiator requires that the user has previously authenticated with this Radiator instance before accepting any TACACS+ authorisation requests. The authentication reply provides the authorisation information Radiator needs to handle the subsequent TACACS+ authorisation requests. If the optional parameter AllowAuthorizeOnly is enabled, Radiator will request authorisation information even if the user has not previously authenticated with this Radiator instance. For more information, see Section 3.112.13. AllowAuthorizeOnly.
If <ServerTACACSPLUS> is used to authenticate administrator access to a Cisco device, you may need to add specific authorisation attributes to allow administrative access. For example, to get administrative access to a Cisco Aironet wireless Access Point requires that the authorisation include a Tacacs+ attribute-value pair like:
You can achieve this by having a suitable cisco-avpair reply item for the relevant user in your Radiator database:
ciscouser User-Password=fred
or by having an AuthorizationAdd parameter in your <ServerTACACSPLUS> clause:
AuthorizationAdd aironet:admin-capability=ident+admin
This example enables only some levels of administrative access (ident and admin). See your Cisco device documentation for more details.
Devices from other vendors than Cisco, such as Juniper, may also accept ciscoavpair attributes.
<ServerTACACSPLUS> can be used with any Radiator authentication method that understands plaintext passwords (such as FILE, SQL, LDAP, DBFILE, etc.), and also with any method that might Challenge the user for additional authentication data (such as DIGIPASS, ACE, OPIE, OTP, INTERNAL etc.).
You can use the Tacacs+ test client goodies/tacacsplustest in your distribution to send test Tacacs+ requests.
During request processing, Server TACACSPLUS looks for a Client clause that matches the origin of the TACACS+ request, as described above. If found, a number of parameters from the Client clause are used during processing: