Cisco Cisco Packet Data Gateway (PDG)
System Settings
▀ Configuring TACACS+ for System Administrative Users
▄ ASR 5500 System Administration Guide, StarOS Release 17
60
Configuring TACACS+ for System Administrative Users
This section describes TACACS+ (Terminal Access Controller Access Control System+) AAA (Authentication
Authorization and Accounting) service functionality and configuration on the ASR 5x00.
Authorization and Accounting) service functionality and configuration on the ASR 5x00.
Operation
TACACS+ is a secure, encrypted protocol. By remotely accessing TACACS+ servers that are provisioned with the
administrative user account database, the ASR 5x00 can provide TACACS+ AAA services for system administrative
users. TACACS+ is an enhanced version of the TACACS protocol that uses TCP instead of UDP.
administrative user account database, the ASR 5x00 can provide TACACS+ AAA services for system administrative
users. TACACS+ is an enhanced version of the TACACS protocol that uses TCP instead of UDP.
The ASR 5x00 system serves as the TACACS+ Network Access Server (NAS). As the NAS the system requests
TACACS+ AAA services on behalf of authorized system administrative users. For the authentication to succeed, the
TACACS+ server must be in the same local context and network accessed by the system.
TACACS+ AAA services on behalf of authorized system administrative users. For the authentication to succeed, the
TACACS+ server must be in the same local context and network accessed by the system.
The system supports TACACS+ multiple-connection mode. In multiple-connection mode, a separate and private TCP
connection to the TACACS+ server is opened and maintained for each session. When the TACACS+ session ends, the
connection to the server is terminated.
connection to the TACACS+ server is opened and maintained for each session. When the TACACS+ session ends, the
connection to the server is terminated.
TACACS+ is a system-wide function on the ASR 5x00. TACACS+ AAA service configuration is performed in
TACACS Configuration Mode. Enabling the TACACS+ function is performed in the Global Configuration Mode. The
system supports the configuration of up to three TACACS+ servers.
TACACS Configuration Mode. Enabling the TACACS+ function is performed in the Global Configuration Mode. The
system supports the configuration of up to three TACACS+ servers.
Once configured and enabled on the system, TACACS+ authentication is attempted first. By default, if TACACS+
authentication fails, the system then attempts to authenticate the user using non-TACACS+ AAA services, such as
RADIUS.
authentication fails, the system then attempts to authenticate the user using non-TACACS+ AAA services, such as
RADIUS.
User Account Requirements
Before configuring TACACS+ AAA services on the ASR 5x00, note the following TACACS+ server and system user
account provisioning requirements.
account provisioning requirements.
TACACS+ User Account Requirements
The TACACS+ server must be provisioned with the following TACACS+ user account information:
A list of known administrative users.
The plain-text or encrypted password for each user.
The name of the group to which each user belongs.
A list of user groups.
TACACS+ privilege levels and commands that are allowed/denied for each group.
Important:
TACACS+ privilege levels are stored as Attribute Value Pairs (AVPs) in the network’s TACACS+
server database. Users are restricted to the set of commands associated with their privilege level. A mapping of
TACACS+ privilege levels to ASR 5x00 CLI administrative roles and responsibilities is provided in the table below.
TACACS+ privilege levels to ASR 5x00 CLI administrative roles and responsibilities is provided in the table below.