Cisco Cisco Packet Data Gateway (PDG)
System Settings
Configuring TACACS+ for System Administrative Users ▀
VPC-VSM System Administration Guide, StarOS Release 19 ▄
63
StarOS serves as the TACACS+ Network Access Server (NAS). As the NAS the system requests TACACS+ AAA
services on behalf of authorized system administrative users. For the authentication to succeed, the TACACS+ server
must be in the same local context and network accessed by StarOS.
services on behalf of authorized system administrative users. For the authentication to succeed, the TACACS+ server
must be in the same local context and network accessed by StarOS.
StarOS supports TACACS+ multiple-connection mode. In multiple-connection mode, a separate and private TCP
connection to the TACACS+ server is opened and maintained for each session. When the TACACS+ session ends, the
connection to the server is terminated.
connection to the TACACS+ server is opened and maintained for each session. When the TACACS+ session ends, the
connection to the server is terminated.
TACACS+ AAA service configuration is performed in StarOS TACACS Configuration Mode. Enabling the TACACS+
function is performed in the StarOS Global Configuration Mode. StarOS supports the configuration of up to three
TACACS+ servers.
function is performed in the StarOS Global Configuration Mode. StarOS supports the configuration of up to three
TACACS+ servers.
Once configured and enabled in StarOS, TACACS+ authentication is attempted first. By default, if TACACS+
authentication fails, StarOS then attempts to authenticate the user using non-TACACS+ AAA services, such as
RADIUS.
authentication fails, StarOS then attempts to authenticate the user using non-TACACS+ AAA services, such as
RADIUS.
Important:
For releases after 15.0 MR4, TACACS+ accounting (CLI event logging) will not be generated for
Lawful Intercept users with privilege level set to 15 and 13.
User Account Requirements
Before configuring TACACS+ AAA services for StarOS, note the following TACACS+ server and StarOS user account
provisioning requirements.
provisioning requirements.
TACACS+ User Account Requirements
The TACACS+ server must be provisioned with the following TACACS+ user account information:
A list of known administrative users.
The plain-text or encrypted password for each user.
The name of the group to which each user belongs.
A list of user groups.
TACACS+ privilege levels and commands that are allowed/denied for each group.
Important:
TACACS+ privilege levels are stored as Attribute Value Pairs (AVPs) in the network’s TACACS+
server database. Users are restricted to the set of commands associated with their privilege level. A mapping of
TACACS+ privilege levels to the StarOS CLI administrative roles and responsibilities is provided in the table below.
TACACS+ privilege levels to the StarOS CLI administrative roles and responsibilities is provided in the table below.
Table 3. Default Mapping of TACACS+ Privilege Levels to StarOS CLI Administrative Roles
TACACS+ Privilege Level
StarOS CLI Administrative Access Privileges
CLI
FTP
ECSEMS
Lawful Intercept
CLI Role
0
Yes
No
No
No
Inspector
1
Yes
No
Yes
No
Inspector
2
No
Yes
No
No
Inspector