TACACS+ Settings

Terminal Access Controller Access-Control System Plus (TACACS+) is an external authentication server used for verifying user credentials.

The TACACS+ protocols support environments that are configured for authentication, authorization, and accounting (AAA) services. When TACACS+ is configured through the XCO interface, TACACS+ users can log in to the XCO interface.

XCO supports TACACS+ authentication in the following ways.

XCO supports up to five auth preferences and TACACS+ servers can be added accordingly. If any TACACS+ server addition fails due to auth preference limit, delete the unnecessary auth preference and add a new TACACS+ config.
The user roles specified in the TACASCS+ server configuration can be one of the following.
- One of the supported XCO roles: NetworkOperator and SystemAdmin. For more information, see User Roles.
- A local TACACS+ role that you can map to XCO. For more information, see Map a TACACS+ User Role.
- The xco-role attribute must be included in the TACACS+ configuration file.
- If the xco-role attribute is not present or not mapped to the correct predefined role in ExtremeCloud Orchestrator, the user login fails.
TACACS+ authentication must be enabled. If TACACS+ authentication is not enabled, only local authentication is used.
If remote authentication fails, XCO attempts to use local authentication, which is successful only if the user is in the XCO database.
The secret key configured for XCO must be the same as the secret key from the TACACS+ server configuration file. Authentication fails if the two values do not match.
XCO supports two TACACS+ authentication protocols.
- CHAP: Challenge Handshake Authentication Protocol
- PAP: Password Authentication Protocol