TACACS authentication 编辑

TACACS authentication policy authenticates to an external Terminal Access Controller Access-Control System (TACACS) authentication server. After a user authenticates to a TACACS server, the Citrix ADC connects to the same TACACS server for all subsequent authorizations. When a primary TACACS server is unavailable, this feature prevents any delay while the ADC waits for the first TACACS server to time out. It happens before resending the authorization request to the second TACACS server.

Note:

TACACS authorization server does not support commands whose string length exceeds 255 characters.

Workaround: Use local authorization instead of a TACACS authorization server.

When authenticating through a TACACS server, authentication, authorization, and auditing traffic management logs only successfully runs TACACS commands. It prevents the logs from showing TACACS commands that are entered by the users who were not authorized to run them.

Starting from NetScaler 12.0 Build 57.x, the Terminal Access Controller Access-Control System (TACACS) is not blocking the authentication, authorization, and auditing daemon while sending the TACACS request. The allow LDAP, and RADIUS authentication to proceed with the request. The TACACS authentication request resumes once the TACACS server acknowledges the TACACS request.

Important:

• Citrix recommends you do not modify any TACACS related configurations when you run a “clear ns config” command.

• TACACS related configuration related to advanced policies is cleared and reapplied when the “RBAconfig” parameter is set to NO in “clear ns config” command for advanced policy.

Name-value attribute support for TACACS authentication

You can now configure TACACS authentication attributes with a unique name along with values. The names are configured in the TACACS action parameter and the values are obtained by querying for the names. By specifying the name attribute value, admins can easily search for the attribute value associated with the attribute name. Also, admins no longer have to remember the attribute by its value alone.

Important

• In the tacacsAction command, you can configure a maximum of 64 attributes separated by comma with total size less than 2048 bytes.

To configure the name-value attributes by using the CLI

At the command prompt, type:

add authentication tacacsAction <name> [-Attributes <string>]
<!--NeedCopy-->