Configuring TACACS+ authentication

This content is for reference purposes only. Do not configure TACACS+ on a new APM-Private Cloud installation.

By default, users are authenticated by APM-Private Cloud. Alternatively, APM-Private Cloud can be configured to authenticate users using an external TACACS+ authentication server.

A secondary TACACS+ server can also be configured. The secondary server is used when the primary server is unavailable or if a login fails.

Limitations include:

  • TACACS+ authentication is only available for the APM-Private Cloud web interface.
  • Only the Cisco Secure ACS 4.2 TACACS+ server is supported.
  • Only TACACS+ authentication is supported. Authorization and accounting are not supported.
  • Only pap, chap, and ascii authentication methods are supported.

TACACS+ authentication can also be used for Web admin access of AppNeta Monitoring Points. See TACACS+.

To enable TACACS+ user authentication for the APM-Private Cloud web interface:

  1. Navigate to > Configure TACACS+.
  2. Click Enable TACACS+.
  3. Click Primary Server.
  4. Configure the fields as follows:
    • Server Address (IP/Hostname) - IP address or hostname of the TACACS+ server.
    • Server Port - Port the TACACS+ server listens on (default: 49). This port must also be open on any firewalls between the APM-Private Cloud server and the TACACS+ server.
    • Shared Secret - Secret used by the TACACS+ server.
    • Authentication Method - Authentication method used by the TACACS+ server (default: ASCII).
    • Timeout (secs) - The amount of time, in seconds, to wait for a response from the TACACS+ server before timing out (default: 15).
  5. (Optional) Click Secondary Server.
  6. Configure the fields as follows:
    • Server Address (IP/Hostname) - IP address or hostname of the secondary TACACS+ server.
    • Server Port - Port the secondary TACACS+ server listens on (default: 49). This port must also be open on any firewalls between the APM-Private Cloud server and the secondary TACACS+ server.
    • Shared Secret - Secret used by the secondary TACACS+ server.
  7. Click Save.

Every user that will be authenticated by the TACACS+ server must also have a user account in APM-Private Cloud (see Users). In the account profiles for those users, the Authenticate Using field must be set to TACACS+. The Authenticate Using field is only shown if TACACS+ is enabled.