Cisco Cisco Packet Data Interworking Function (PDIF)
System Settings
▀ Configuring TACACS+ for System Administrative Users
▄ ASR 5000 System Administration Guide, StarOS Release 18
68
Configuring TACACS+ for System Administrative Users
This section describes TACACS+ (Terminal Access Controller Access Control System+) AAA (Authentication
Authorization and Accounting) service functionality and configuration on the ASR 5x00.
Authorization and Accounting) service functionality and configuration on the ASR 5x00.
Operation
TACACS+ is a secure, encrypted protocol. By remotely accessing TACACS+ servers that are provisioned with the
administrative user account database, the ASR 5000 can provide TACACS+ AAA services for system administrative
users. TACACS+ is an enhanced version of the TACACS protocol that uses TCP instead of UDP.
administrative user account database, the ASR 5000 can provide TACACS+ AAA services for system administrative
users. TACACS+ is an enhanced version of the TACACS protocol that uses TCP instead of UDP.
The ASR 5x00 system serves as the TACACS+ Network Access Server (NAS). As the NAS the system requests
TACACS+ AAA services on behalf of authorized system administrative users. For the authentication to succeed, the
TACACS+ server must be in the same local context and network accessed by the system.
TACACS+ AAA services on behalf of authorized system administrative users. For the authentication to succeed, the
TACACS+ server must be in the same local context and network accessed by the system.
The system supports TACACS+ multiple-connection mode. In multiple-connection mode, a separate and private TCP
connection to the TACACS+ server is opened and maintained for each session. When the TACACS+ session ends, the
connection to the server is terminated.
connection to the TACACS+ server is opened and maintained for each session. When the TACACS+ session ends, the
connection to the server is terminated.
TACACS+ is a system-wide function on the ASR 5x00. TACACS+ AAA service configuration is performed in
TACACS Configuration Mode. Enabling the TACACS+ function is performed in the Global Configuration Mode. The
system supports the configuration of up to three TACACS+ servers.
TACACS Configuration Mode. Enabling the TACACS+ function is performed in the Global Configuration Mode. The
system supports the configuration of up to three TACACS+ servers.
Once configured and enabled on the system, TACACS+ authentication is attempted first. By default, if TACACS+
authentication fails, the system then attempts to authenticate the user using non-TACACS+ AAA services, such as
RADIUS.
authentication fails, the system then attempts to authenticate the user using non-TACACS+ AAA services, such as
RADIUS.
Important:
For releases after 15.0 MR4, TACACS+ accounting (CLI event logging) will not be generated for
Lawful Intercept users with privilege level set to 15 and 13.
User Account Requirements
Before configuring TACACS+ AAA services on the ASR x000, note the TACACS+ server and system user account
provisioning requirements described below.
provisioning requirements described below.
TACACS+ User Account Requirements
The TACACS+ server must be provisioned with the following TACACS+ user account information:
A list of known administrative users.
The plain-text or encrypted password for each user.
The name of the group to which each user belongs.
A list of user groups.
TACACS+ privilege levels and commands that are allowed/denied for each group.