Configuring TACACS authentication in IAG

Applies To: Intelligent Application Gateway (IAG)

Whale Communications Intelligent Application Gateway (IAG) 2007 supports user authentication using a Terminal Access Controller Access Control System (TACACS). The TACACS protocol allows a network access server (NAS) to offload the user administration to a central server. Where the TACACS authentication scheme is applied, user connection requests are directed by the NAS to the TACACS authentication server, where user identity is compared against the server's user database, and users are granted or denied access accordingly.

IAG and the TACACS authentication server operate in a client-server mode, where IAG has to be configured as a client of the TACACS server.

The TACACS authentication scheme utilizes a secret key to encrypt the authentication request. This key must be identically configured in both the IAG Configuration program and the TACACS authentication server, as described in the following sections.

The TACACS authentication scheme has been tested against the NTTacPlus authentication server.

TACACS authentication flow

The following figure illustrates the authentication process users go through when the TACACS authentication scheme is implemented.

TACACS Authentication Flow

Configuring the TACACS authentication server

It is the responsibility of the system administrator to configure the TACACS server to operate in conjunction with the IAG client. In order to do so, take the following steps:

• Add IAG to the client list of the TACACS server.

• Define the users that will be connecting through this client, to authenticate in a User-Login mode.

Define the secret key that will be used to encrypt and decrypt the user request. This key must be identical to the secret key assigned to the authentication scheme when you define the TACACS server in the IAG Configuration console, as described in Authenticating IAG sessions.