ltm auth tacacs
ltm auth tacacs(1) BIG-IP TMSH Manual ltm auth tacacs(1)
NAME
tacacs - Configures a TACACS+ configuration component for implementing
remote TACACS+-based client authentication.
MODULE
ltm auth
SYNTAX
Configure the tacacs component within the ltm auth module using the
syntax shown in the following sections.
CREATE/MODIFY
create tacacs [name]
modify tacacs [name]
options:
accounting [send-to-all-servers | send-to-first-server]
authentication [use-all-servers | use-first-server]
debug [disabled | enabled]
description [string]
encryption [disabled | enabled]
protocol [none | [protocol] ]
secret [ "[string]" ]
servers
[add | delete | replace-all-with] {
[ [ [hostname[:port]] | [ip address[:port]] ] ... ]
}
service [ [name] | none] ]
edit tacacs [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
DISPLAY
list tacacs
list tacacs [ [ [name] | [glob] | [regex] ] ... ]
show running-config tacacs
show running-config tacacs [ [ [name] | [glob] | [regex] ] ... ]
options:
all-properties
non-default-properties
one-line
partition
DELETE
delete tacacs [name]
DESCRIPTION
Using a TACACS+ configuration object and profile, you can implement the
TACACS+ authentication module as the mechanism for authenticating
client connections passing through the BIG-IP Local Traffic Manager
system. You use this module when your authentication data is stored on
a remote TACACS+ server. In this case, client credentials are based on
basic HTTP authentication (that is, user name and password).
To implement a TACACS+ authentication module and create a TACACS
configuration object:
1. Use the tacacs component in the ltm auth module to configure a
TACACS+ configuration object.
2. Use the profile component in the ltm auth module to create an
authentication profile in which you specify the following options:
a. For the configuration option, specify the TACACS+ configuration
object that you created in Step 1.
b. For the defaults-from option, specify a parent profile (either
the default TACACS+ profile named tacacs or another custom profile
that you created).
EXAMPLES
create tacacs my_tacacs_auth secret "This is the secret" servers add
{my_tacacs_server} encryption enabled
Enables encryption for TACACS+ packets.
create tacacs my_tacacs_auth secret "This is the secret" servers add {
my_tacacs_server1 my_tacacs_server2 } accounting send-to-all-servers
Provides the ability to send accounting start and stop packets to all
servers
OPTIONS
accounting
If multiple TACACS+ servers are defined and pluggable
authentication module (PAM) session accounting is available,
specifies where the system sends accounting start and stop
packets. Possible values are:
send-to-all-servers
Sends to all servers.
send-to-first-server
Sends to the first available server.
authentication
Specifies when to use the secret key supplied for the secret
option. This option is required. The options are:
use-all-servers
Use the secret key with all servers.
use-first-server
Use the secret key with the first available server.
debug
Enables syslog-ng debugging information at LOG DEBUG level. F5
Networks does not recommend this option for normal use. The
default value is disabled.
description
User defined description.
encryption
Enables or disables encryption of TACACS+ packets. F5 Networks
recommends this option for normal use. The default value is
enabled.
glob Displays the items that match the glob expression. See help glob
for a description of glob expression syntax.
name Specifies a unique name for the component. This option is required
for the commands create, delete, and modify.
partition
Displays the administrative partition within which the component
resides.
protocol
Specifies the protocol associated with the value specified in the
service option, which is a subset of the associated service being
used for client authorization or system accounting.
regex
Displays the items that match the regular expression. The regular
expression must be preceded by an at sign (@[regular expression])
to indicate that the identifier is a regular expression. See help
regex for a description of regular expression syntax.
secret
Sets the secret key used to encrypt and decrypt packets sent or
received from the server. This option is required.
servers
Specifies the host name or IPv4 address of the TACACS+ server. For
each server, a port may optionally be specified in the format
hostname:port or IPv4:port. If no port is specified, the default
port 49 is used. This option is required.
service
Specifies the name of the service that the user is requesting to
be authenticated to use. Identifying the service enables the
TACACS+ server to behave differently for different types of
authentication requests. This option is required.
SEE ALSO
create, delete, edit, glob, list, ltm auth profile, ltm virtual,
modify, regex, show, tmsh,
COPYRIGHT
No part of this program may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying,
recording, or information storage and retrieval systems, for any
purpose other than the purchaser's personal use, without the express
written permission of F5 Networks, Inc.
F5 Networks and BIG-IP (c) Copyright 2008-2012. All rights reserved.
BIG-IP 2014-09-29 ltm auth tacacs(1)