Configure Windows TACACS+ Servers using

Cisco Secure ACS

The Packeteer TACACS+ client has been tested with Cisco Secure Access Control Server (ACS)
4.2. This section includes instructions on configuring a Windows TACACS+ server with Packeteerspecific information. These steps should be performed before you configure the TACACS+
authentication and TACACS+ accounting services via the PacketWise browser or command-line
interfaces. For more information on the general setup and configuration of these servers, refer to the
documentation included with the product.

Configure the Cisco Secure ACS Application

Follow the procedure below to configure group-level access attributes.
1. Launch the Cisco Secure ACS application.
2. Click Interface configuration in the toolbar on the left side of the screen to open the
Interface Configuration window.

3. Click the TACACS+ (Cisco IOS) link.

4. The TACACS+ services window opens. In the top pane of this window, there are two
columns for group and user configuration settings. Check the shell (exec) checkbox in the
User column.

5. Click Submit to save your changes.

Configure Cisco Secure ACS Network Settings

Define network clients that can be accessed using TACACS+ authentication and authorization.
1. Click the Network Configuration button in the left toolbar.

2. Click Add Entry.

3. The Add AAA Client window opens.

Enter a AAA Client Hostname, AAA Client IP address and a Shared Secret (password)
for the PacketShaper or PolicyCenter server you want to access using TACACS+
authentication.
4. Click the Authenticate Using drop-down list and select TACACS+ (Cisco IOS).
5. Click Submit + Apply.

Configure Cisco Secure ACS Users

Next, you must configure settings for your TACACS+ users.
1. Click the User Setup button in the toolbar on the left side of the screen to open the Select
window.

2. Enter a name for the new user in the User Name field, then click Add/Edit.

3. The Edit window opens.

In the Supplementary User Info section, enter a Real Name for the user and a
Description of that user.
4. In the User Setup section, click the Password Authentication drop-down list and select

ACS Internal Database.

5. Enter and confirm a password for Cisco Secure PAP/CHAP/MS-CHAP/ARAP in the top
Password and Confirm Password fields.
6. (Optional) To use the password you just defined for PAP only, click the Separate
(CHAP/MS-CHAP/ARAP) checkbox, and define a separate password for those
authentication protocols.
7. Use the scroll bar on the right side of the Edit window to scroll down to the TACACS+
Settings section.

8. Select the Shell (exec) checkbox.

9. Select the Custom Attributes checkbox, then enter one of the following custom Packeteer
attributes.

attribute
Description
access=touch Gives the user touch access to a PacketShaper
Gives the user look access to a PacketShaper
access=look
Where <org> is a PolicyCenter organization name. This
role=<org>:t attribute gives the user touch access to a PolicyCenter
ouch
organization, most typically the administrator's PC
organization.
Where <org> is a PolicyCenter organization name. This
role=<org>:l
attribute gives the look touch access to a PolicyCenter
ook
organization.
10.

Click Submit to save your settings.