The parameters for configuring TACACS+ are to be found under the following paths:
WEBconfig: LCOS menu tree / Setup / TACACS+
- Accounting
Activates accounting via TACACS+ server. If TACACS+ accounting is activated,
all accounting data is transmitted via TACACS+ protocol to the configured
TACACS+ server.
Possible values:
- Activated, deactivated
- Deactivated
Note: TACACS+ accounting will only activate if the defined TACACS+ server is available. - Authentication
Activates authentication via TACACS+ server. If TACACS+ authentication
is activated, all authentication data is transmitted via TACACS+ protocol
to the configured TACACS+ server.
Possible values:
- Activated, deactivated
- Deactivated
Note: TACACS+ authentication will only activate if the defined TACACS+ server is available. Fallback to local users is only possible if a root password has been set for the LANCOM. The fallback to local users must be deactivated for devices without a root password. Otherwise a failure of the network connection (TACACS+ server unavailable) would make the LANCOM accessible without a password. - Authorization
Activates authorization via TACACS+ server. If TACACS+ authorization
is activated, all authorization data is transmitted via TACACS+ protocol
to the configured TACACS+ server.
Possible values:
- Activated, deactivated
- Deactivated
Note: TACACS+ authorization will only activate if the defined TACACS+ server is available. If TACACS+ authorization is activated, the TACACS+ server will be queried for authorization each time a user enters a command. Data traffic during configuration will increase correspondingly. Also, the user rights must be defined in the TACACS+ server. - Fallback to local users
Should the defined TACACS+ server be unavailable, it is possible to
fallback to local user accounts on the LANCOM. This allows for access
to the device even if the TACACS+ connection should fail, e.g. when deactivating
the usage of TACACS+ or for correcting the configuration.
Possible values:
- Allowed, prohibited
- Allowed
Note: The fallback to local user accounts presents a security risk if no root password is set for the LANCOM. For this reason, TACACS+ authentication with fallback to local user accounts can only be activated if a root password has been set. If no root password is set, access to the device configuration can be blocked for security reasons if no connection is available to the TACACS+ server. In this case, the device may have to be reset to its factory settings in order to regain access to the configuration. - Shared secret
The password for encrypting the communications between NAS and TACACS+
servers.
Possible values:
- 31 alphanumerical characters
- Blank
Note: The password must be entered identically into the LANCOM and the TACACS+ server. We recommend that you do not operate TACACS+ without encryption. - SNMP-GET requests accounting
Numerous network management tools use SNMP for requesting information
from network devices. LANmonitor also uses SNMP to access the LANCOM
devices to display information about current connections, etc., or to
execute actions such as disconnecting a connection. SNMP can be used
to configure devices. For this reason TACACS+ requires authentication
for SNMP access requests. Since LANmonitor regularly queries these
values, a large number of unnecessary TACACS+ connections would be established.
If authentication, authorization and accounting by TACACS+ are activated,
then each request would initiate three sessions with the TACACS+ server.
This parameter allows the regulation of the behavior of LANCOM devices
with regard to SNMP access in order to reduce the number of TACACS+ sessions
required for accounting. Authentication via the TACACS+ server remains
necessary if authentication for TACACS+ is activated generally.
Note: Entering a read-only community under LCOS menu tree / Setup / SNMP enables authentication by TACACS+ to be deactivated for LANmonitor. The read-only community defined here is then entered into LANmonitor as a user name.Possible values:
- only_for_SETUP_tree: With this setting, accounting via TACACS+ server is only required for SNMP access via the setup branch of LCOS.
- All: With this setting, accounting by TACACS+ server will be carried out for every SNMP access. In case of regular request for status information, for example, the load on the TACACS+ server will increase significantly.
- None: With this setting, accounting by TACACS+ server will not be carried out for SNMP accesses.
- only_for_SETUP_tree
- SNMP-GET requests authorization
This parameter allows the regulation of the behavior of LANCOM devices
with regard to SNMP access in order to reduce the number of TACACS+ sessions
required for authorization. Authentication via the TACACS+ server remains
necessary if authentication for TACACS+ is activated generally.
Possible values:
- only_for_SETUP_tree: With this setting, authorization via TACACS+ server is only required for SNMP access via the setup branch of LCOS.
- All: With this setting, authorization by TACACS+ server will be carried out for every SNMP access. In case of regular request for status information, for example, the load on the TACACS+ server will increase significantly.
- None: With this setting, authorization by TACACS+ server will not be carried out for SNMP accesses.
- only_for_SETUP_tree
- Encryption
Activates or deactivates the encryption of communications between NAS
and TACACS+ servers.
Possible values:
- Activated, deactivated
- Activated
Note: We recommend that you do not operate TACACS+ without encryption. If encryption is activated here, the password for encryption entered here must match with the password on the TACACS+ server.