Section 3.49. <AuthBy TACACSPLUS>

3.49. <AuthBy TACACSPLUS>

<AuthBy TACACSPLUS> provides authentication via a TacacsPlus server. It supports authentication only, not accounting or authorisation. It requires the Authen::TacacsPlus module. It is part of CPAN. For more information, see Section 2.1.2. CPAN. Use at least version TacacsPlus-0.15.tar.gz. Earlier versions do not work properly. Version 0.15 supports PAP authentication only. Later versions support both PAP and CHAP.

<AuthBy TACACSPLUS> understands also the same parameters as <AuthBy xxxxxx>. For more information, see Section 3.32. <AuthBy xxxxxx>.

3.49.1. Host

This optional parameter specifies the name of the host where the TacacsPlus server is running. It can be a DNS name or an IP address. Defaults to localhost.

Host oscar.example.com

3.49.2. Key

This mandatory parameter specifies the encryption key to be used to encrypt the connection to the TacacsPlus server. You must specify this. There is no default. It must match the key specified in the TacacsPlus server configuration file.

# There is a line saying key = mytacacskey in my tac_plus
# config file
Key mytacacskey

3.49.3. Port

This optional parameter specifies the TCP port to be used to connect to the TacacsPlus server. It can be a service name as specified in /etc/services or an integer port number. Defaults to ‘tacacs’ (TCP port 49). You should not need to change this unless your TacacsPlus server is listening on a non-standard port.

3.49.4. Timeout

This optional parameter specifies the number of seconds timeout. Defaults to 15. You would only need to change this under unusual circumstances.

3.49.5. AuthType

This optional parameter allows you to force the type of authentication to be used in the Tacacs+ request sent to the Tacacs+ server. Options are ‘PAP’ and ‘ASCII’. The default is to choose PAP if the version of Authen::TacacsPlus is 0.16 or greater, otherwise ASCII.

# Force ASCII auth regardless of the version of 
# Authen::TacacsPlus installed
AuthType ASCII