Cisco Cisco Packet Data Gateway (PDG)
System Settings
Configuring TACACS+ for System Administrative Users ▀
VPC-VSM System Administration Guide, StarOS Release 19 ▄
65
Caution:
When configuring TACACS+ AAA services for the first time, the administrative user must use non-
TACACS+ services to log into StarOS. Failure to do so will result in the TACACS+ user being denied access to the
StarOS CLI.
StarOS CLI.
Log StarOS VPC using non-TACACS+ services.
Use the example below to configure TACACS+ AAA services in StarOS:
configure
tacacs mode
server priority priority_number ip-address tacacs+srvr_ip_address
end
Note:
server priority priority_number: Must be a number from 1 to 3, that specifies the order in which this
TACACS+ server will be tried for TACACS+ authentication. 1 is the highest priority, and 3 is the lowest.
ip-address: Must be the IPv4 address of a valid TACACS+ server that will be used for authenticating
administrative users accessing this system via TACACS+ AAA services.
By default, the TACACS+ configuration will provide authentication, authorization, and accounting services.
Enable TACACS+ via the StarOS CLI:
configure
aaa tacacs+
end
Save the configuration as described in the Verifying and Saving Your Configuration chapter.
Important:
For complete information on all TACACS+ Configuration Mode commands and options, refer to the
TACACS Configuration Mode Commands chapter in the Command Line Reference.
Configuring TACACS+ for Non-local VPN Authentication
By default TACACS+ authentication is associated with login to the local context. TACACS+ authentication can also be
configured for non-local context VPN logins. TACACS+ must configured and enabled with the option described below.
configured for non-local context VPN logins. TACACS+ must configured and enabled with the option described below.
A stop keyword option is available for the TACACS+ Configuration mode on-unknown-user command. If TACACS+
is enabled with the command-keyword option, the VPN context name into which the user is attempting a login must
match the VPN name specified in the username string. If the context name does not match, the login fails and exits out.
is enabled with the command-keyword option, the VPN context name into which the user is attempting a login must
match the VPN name specified in the username string. If the context name does not match, the login fails and exits out.
Without this option the login sequence will attempt to authenticate in another context via an alternative login method.
For example, without the on-unknown-user stop configuration, an admin account could log into the local context via
the non-local VPN context. However, with the on-unknown-user stop configuration, the local context login would not
be attempted and the admin account login authentication would fail.
For example, without the on-unknown-user stop configuration, an admin account could log into the local context via
the non-local VPN context. However, with the on-unknown-user stop configuration, the local context login would not
be attempted and the admin account login authentication would fail.
configure