How to Configure RADIUS or TACACS+ for Authentication

As an administrator, you can authenticate users against RADIUS and TACACS+ servers.
capam32
HID_ConfigRadius
As an administrator, you can authenticate users against RADIUS and TACACS+ servers.
RADIUS and TACACS+ users are imported as user groups. When a RADIUS server is used to identify users for a User Group, the appliance first attempts to match the User Group: Groupname to the designated Attribute 25.
The users can be refreshed manually through a link that appears on the User Group page.
Complete the following tasks:
2
Prerequisites
TACACS+ Server Support
The appliance can work with the following software:
  • tac_plus
  • Cisco Secure Access Control Server (ACS) version 4 or 5
When configuring device access to Cisco, you cannot configure a unique enabled password for each Cisco device user with TACACS.
RADIUS Server Support
The appliance supports the PAP and CHAP authentication for RADIUS.
During RADIUS authentication, if multiple user records are found with the same RADIUS login name, the login process is blocked and is deactivates all those users. An administrator explicitly enables
one
of these users.
When importing LDAP users with RADIUS authentication, all these LDAP RADIUS users are deactivated when either of the following conditions exists:
  • If multiple LDAP users have the same RADIUS login name
  • If any of the LDAP user login names match an existing RADIUS user in the appliance.
Configure a Device and Target Information
Before you configure authentication with RADIUS or TACACS+, add the server, create a target application, and set up the target account.
Follow these steps:
  1. Navigate to
    Devices
    ,
    Manage Devices
    , and select
    Add
    .
    1. Enter a
      Name
      . If Access is configured, this name is displayed on the Access page.
    2. Enter the RADIUS or TACACS+ Server IP
      Address
      or FQDN. DNS must be configured on the Network Settings page for FQDN to work.
    3. Select at least the Password Management
      Device Type
      .
    4. See Device Setup for details about other Device settings (optional).
  2. Select
    Save and Add Target Applications
    .
    The Add Target Application window appears.
    Host Name
    and
    Device Name
    are populated with your Device data.
  3. Specify an
    Application Name
    .
  4. Select RADIUS/TACACS+ Secret as the
    Application Type
    .
    A second tab, named RADIUS/TACACS+ Secret, appears in the Add Target Application window.
    1. Select
      Type
      of either RADIUS or TACACS+. 
    2. Alter the
      Port
      if necessary.
    3. For more information about optional Application settings, see Add Target Applications.
    4. Select
      OK
      .
  5. Navigate to
    Credentials
    ,
    Manage Targets, Accounts
    , and select
    Add
    .
    1. Use the Select magnifying glass icon to select the
      Application Name
      you created for RADIUS or TACACS+.
      The
      Host
      Name
      and
      Device Name
      are populated.
    2. Specify an
      Account Name
      .
    3. Enter the
      Secret
      for this account.
    4. For more information about optional Account settings, see Add Target Accounts and Aliases.
    5. Select
      OK
      to save the Account.
Add RADIUS and TACACS+ as Third-Party Servers
After you configure the target application and target accounts for RADIUS and TACACS+, complete the setup by adding these servers as third-party servers.
Follow these
steps:
  1. Navigate to
    Configuration
    ,
    3rd Party, RADIUS and TACACS+
    .
  2. Select
    Add
    on the
    RADIUS and TACACS+ Servers
    tab and do the following steps:
    1. Use the Select magnifying glass icon for
      Account
      to find the RADIUS or TACACS+ account and select it.
      Server
      and
      Application
      automatically populate.
    2. You can also start by selecting the
      Server
      , then
      Application
      , then
      Account
      .
  3. Optionally, select the
    Timeout
    tab and adjust the following settings to modify RADIUS timeout parameters:
    • Login Timeout (secs)
      : Specifies the login timeout for all RADIUS server login attempts
    • RADIUS Timeout
      : Specifies the maximum time to wait for a reply from the RADIUS server
    • RADIUS Retries
      : Specifies the number of times a request will be sent before trying the next server
  4. Select
    OK
    to save.
    The RADIUS or TACACS+ domain appears in the
    RADIUS and TACACS+ Accounts
    list.
  5. To enable creating a User Group for RADUIS or TACACS+, log out of the appliance and log back in.
  6. Navigate to
    Users, Manage User Groups,
    to import users from RADIUS or TACACS+.
    1. Select
      Create RADIUS Group
      or
      Create TACACS+ Group
      .
      To locate users in a RADIUS or TACACS+ group, each
      group name you specify must match a corresponding group name or ID on the RADIUS or TACACS+ server. The appliance uses the configured grouping to manage users.
    2. Enter a corresponding RADIUS or TACACS+ group name or ID as the
      Group Name.
      • All the privileges that users maintain are derived from their group. Only users with a local account or whose group matches the group name in the UI is granted access. Contact the RADIUS or TACACS+ server administrator for the group name.
      • If a RADIUS group is provisioned but the user does not exist, a shadow RADIUS user is created. The shadow user is not visible in the user management screen or the user list.
      For more information about User Groups, see Configure User Groups.
  7. Select
    OK
    to save the Group.