From the Secure Shell service configuration page, you can configure TACACS+
authentication to allow users to authenticate against external TACACS+ servers to log in to
the DNS/DHCP Server.
Attention:
- Before you begin, BlueCat strongly recommends creating a "Break
Glass" account to ensure that the server can be access in case of accidental
configuration.
- You must have an operating TACACS+ server in order to proceed with
configuring TACACS+ authentication.
To configure TACACS+ authentication on a DNS/DHCP Server:
-
Select the Servers tab in the sidebar, then select
Servers.
-
Select the name of a server.
-
Select the Services tab.
-
Under Server management and configuration, locate the
SSH service panel and select Edit
service.
-
Under General, set the following parameters:
- TACACS+ enabled—select this check box to enable
TACACS+ authentication; deselect this check box to disable TACACS+
authentication.
- Server—enter the hostname or IP address of the
TACACS+ server that will be used for authentication.
- Shared secret—enter the shared secret used to
encrypt and decrypt packets between the client and the server.
-
On the TACACS+ users tab, set the following
parameters:
- Username—enter the name of the TACACS+ user.
- Member of—enter the name of the TACACS+ group
that the user is a member of.
- Executables—enter the path to the commands that
are granted to the TACACS+ user. You can enter multiple paths to
commands using a comma separated values. For example:
/sbin/ifup,/sbin/ifdown
- Select Add TACACS+ user to table to add the
configured user permissions to the TACACS+ users table.
-
On the TACACS+ groups tab, set the following
parameters:
- Group name—enter the name of the TACACS+
group.
- Executables—enter the path to the commands that
are granted to the TACACS+ group. You can enter multiple paths to
commands using a comma separated values. For example:
/sbin/ifup,/sbin/ifdown
- Select Add TACACS+ group to table to add the
configured group permissions to the TACACS+ groups.
-
Select Save.