Skip to main content

TACACS

General Information

Forward Enterprise supports two different types of user accounts:

  • LOCAL
  • TACACS+

TACACS+ accounts will be treated differently from LOCAL accounts:

  • TACACS+ users can only be imported. Note that a user account will appear in the application after the user’s first successful login.
  • The email address field is optional for TACACS+ users and will be undefined initially.
  • Username and password are read-only for TACACS+ users.

TACACS Setup

  1. Navigate to Settings --> Accounts --> External Authentication and click on the Enable button in the TACACS+ section to enable TACACS+ authentication.

TACACS Enable

  1. Configure each setting appropriately:

TACACS Config

  • TACACS+ authentication: Enabled or disabled.
  • TACACS+ Server: The hostname or IP address of the TACACS+ server to authenticate users to.
  • Port: The TCP port number that the TACACS+ application is running on for the above-specified server. TACACS servers use port 49 by default.
  • Secret Key: The secret key used to encrypt communication to the TACACS+ server. The maximum length is 63 characters.
  • Auth Protocol: The protocol to use between the Forward VM and the TACACS+ server. Options are ASCII, PAP or CHAP.
  • Auth Timeout in Sec: The number of seconds to wait for a response from the TACACS+ server. Defaults to 5 seconds.
  • Network Permissions: New users will automatically inherit this network role for all networks that exist at the time when they first log in. Changing this setting will not affect existing users. Options are:
    • Restricted: Restricted users have no access to the network. They will not be able to load any of the network's Snapshots or other data or even see that the network exists
    • Read-only: Read-only users have read-only access to the network. They can search for paths and network objects, view verification/check results, and run diffs for all Snapshots in the network. However, they will not be able to create/modify/delete checks, configure the Collector, or delete Snapshots.
    • Admin: Admin users have full read/write access to the network. In addition to all of the things that a " Read-only" user can do, they can create/modify/delete checks, configure the Collector, and delete Snapshots.

Test TACACS Setup

  1. On the Settings --> Accounts --> TACACS+ page, enter a valid username and password in to the Test Authentication section.
  2. Click Test whether this user can login to verify successful TACACS+ configuration.

A green Success! User authentication with the TACACS+ server should appear, as shown at the bottom of the TACACS Config picture above.