auth tacacs
auth tacacs(1) BIG-IP TMSH Manual auth tacacs(1)
NAME
tacacs - Configures a TACACS+ configuration object for implementing
remote authentication of BIG-IP(r) system users based on TACACS+.
MODULE
auth
SYNTAX
Configure the tacacs component within the auth module using the syntax
shown in the following sections.
CREATE/MODIFY
create tacacs [name]
modify tacacs [name]
options:
accounting [send-to-first-server | send-to-all-servers]
app-service [[string] | none]
authentication [use-first-server | use-all-servers]
debug [disabled | enabled]
description [string]
encryption [disabled | enabled]
protocol [none | [protocol] ]
secret [ "[string]" ]
servers
[add | delete | replace-all-with] {
[ [ [hostname[:port]] | [ip address[:port]] ] ... ]
}
service [ [name] | none]
timeout [integer]
edit tacacs [ [ [name] | [glob] | [regex] ] ...]
options:
all-properties
non-default-properties
DISPLAY
list tacacs
list tacacs [ [ [name] | [glob] | [regex] ] ...]
show running-config tacacs
show running-config tacacs [ [ [name] | [glob] | [regex] ] ...]
options:
all-properties
non-default-properties
one-line
partition
DELETE
delete tacacs [name]
DESCRIPTION
To authenticate BIG-IP system users when their authentication data is
stored on a remote TACACS+ server, you create a TACACS+ configuration
object, and then activate the object.
To configure TACACS+ authentication for BIG-IP system users:
1. Use the tacacs component in the auth module to configure a TACACS+
configuration object.
2. To activate TACACS+ authentication for BIG-IP system users, run the
following command sequence: modify / auth source type tacacs
EXAMPLES
create tacacs bigip_tacacs_auth servers add {my_tacacs_server}
Creates a TACACS+ configuration object named bigip_tacacs_auth.
delete tacacs bigip_tacacs_auth
Deletes the TACACS+ configuration object named bigip_tacacs_auth.
OPTIONS
accounting
If multiple TACACS+ servers are defined and pluggable
authentication module (PAM) session accounting is enabled, sends
accounting start and stop packets to the first available server or
to all servers. The default value is send-to-first-server.
Possible values are:
send-to-all-servers
The system sends accounting start and stop packets to all
servers.
send-to-first-server
The system sends accounting start and stop packets to the
first available server.
app-service
Specifies the name of the application service to which the TACACS+
configuration object belongs. The default value is none. Note: If
the strict-updates option is enabled on the application service
that owns the object, you cannot modify or delete the TACACS+
configuration object. Only the application service can modify or
delete the TACACS+ configuration object.
authentication
Specifies the process the system employs when sending
authentication requests. The default value is use-first-server.
Possible values are:
use-all-servers
The system sends an authentication request to each server
until authentication succeeds, or until the system has sent a
request to all servers in the list.
use-first-server
The system sends authentication requests to only the first
server in the list.
debug
Enables syslog-ng debugging information at the LOG DEBUG level. F5
Networks does not recommend this option for normal use. The
default value is disabled.
description
User defined description.
encryption
Enables or disables encryption of TACACS+ packets. F5 Networks
recommends this option for normal use. The default value is
enabled.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
name Specifies a unique name for the component. This option is required
for the commands create and modify.
partition
Displays the administrative partition within which the component
resides.
protocol
Specifies the protocol associated with the value specified in the
service option, which is a subset of the associated service being
used for client authorization or system accounting.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
secret
Sets the secret key used to encrypt and decrypt packets sent or
received from the server. This option is required.
servers
Specifies the host name or IPv4 address of the TACACS+ server. For
each server, a port may optionally be specified in the format
hostname:port or IPv4:port. If no port is specified, the default
port 49 is used. This option is required.
service
Specifies the name of the service that the user is requesting to
be authenticated to use. Identifying the service enables the
TACACS+ server to behave differently for different types of
authentication requests. This option is required.
timeout Specifies the connect timeout in seconds. The default value is
10 seconds. Zero indicates no timeout.
SEE ALSO
auth user, create, delete, edit, glob, list, modify, regex, run, show,
tmsh
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2013. All rights reserved.
BIG-IP 2016-08-10 auth tacacs(1)