Configure Windows TACACS+ Servers using Cisco Secure ACS

The Packeteer TACACS+ client has been tested with Cisco Secure Access Control Server (ACS) 4.2. This section includes instructions on configuring a Windows TACACS+ server with Packeteer-specific information. These steps should be performed before you configure the TACACS+ authentication and TACACS+ accounting services via the PacketWise browser or command-line interfaces. For more information on the general setup and configuration of these servers, refer to the documentation included with the product.

Configure the Cisco Secure ACS Application

Follow the procedure below to configure group-level access attributes.

1. Launch the Cisco Secure ACS application.
   
   
2. Click Interface configuration in the toolbar on the left side of the screen to open the Interface Configuration window.  show screen
   
   
3. Click the TACACS+ (Cisco IOS) link.  show screen
   
   
4. The TACACS+ services window opens. In the top pane of this window, there are two columns for group and user configuration settings. Check the shell (exec) checkbox in the User column.  show screen
   
   
5. Click Submit to save your changes.

Configure Cisco Secure ACS Network Settings

Define network clients that can be accessed using TACACS+ authentication and authorization.

1. Click the Network Configuration button in the left toolbar.  show screen
   
   
2. Click Add Entry.  show screen
   
   
3. The Add AAA Client window opens.  show screen Enter a AAA Client Hostname, AAA Client IP address and a Shared Secret (password) for the PacketShaper or PolicyCenter server you want to access using TACACS+ authentication.
   
   
4. Click the Authenticate Using drop-down list and select TACACS+ (Cisco IOS).
   
   
5. Click Submit + Apply.

Configure Cisco Secure ACS Users

Next, you must configure settings for your TACACS+ users.

1. Click the User Setup button in the toolbar on the left side of the screen to open the Select window.  show screen
   
   
2. Enter a name for the new user in the User Name field, then click Add/Edit.  show screen
   
   
3. The Edit window opens.  show screen In the Supplementary User Info section, enter a Real Name for the user and a Description of that user.
   
   
4. In the User Setup section, click the Password Authentication drop-down list and select ACS Internal Database.
   
   
5. Enter and confirm a password for Cisco Secure PAP/CHAP/MS-CHAP/ARAP in the top Password and Confirm Password fields.
   
   
6. (Optional) To use the password you just defined for PAP only, click the Separate (CHAP/MS-CHAP/ARAP) checkbox, and define a separate password for those authentication protocols.
   
   
7. Use the scroll bar on the right side of the Edit window to scroll down to the TACACS+ Settings section.  show screen
   
   
8. Select the Shell (exec) checkbox.
   
   
9. Select the Custom Attributes checkbox, then enter one of the following custom Packeteer attributes.
   
   

   attribute	Description
   access=touch	Gives the user touch access to a PacketShaper
   access=look	Gives the user look access to a PacketShaper
   role=<org>:touch	Where <org> is a PolicyCenter organization name. This attribute gives the user touch access to a PolicyCenter organization, most typically the administrator's PC organization.
   role=<org>:look	Where <org> is a PolicyCenter organization name. This attribute gives the look touch access to a PolicyCenter organization.

   
   
10. Click Submit to save your settings.
    

PacketGuide™ for PacketWise® 8.3