Security
7450 ESS System Mangement Guide Page 185
Context config>system>security>tacplus
Description This command configures TACACS+ authorization parameters for the system.
Default no authorization
use-priv-lvl — Automatically performs a single authorization request to the TACACS+ server for
cmd* (all commands) immediately after login, and then use the local profile associated (via the
priv-lvl-map) with the priv-lvl returned by the TACACS+ server for all subsequent authorization
(except enable-admin). After the initial authorization for cmd*, no further authorization
requests will be sent to the TACACS+ server (except enable-admin).
interactive-authentication
Syntax [no] interactive-authentication
Context config>system>security>tacplus
Description This configuration instructs SR OS to send no username nor password in the TACACS+ start mes-
sage, and to display the server_msg in the GETUSER and GETPASS response from the TACACS+
server. Interactive authentication can be used to support a One Time Password scheme (e.g. S/Key).
An example flow (e.g. with a telnet connection) is as follows:
• SR OS will send an authentication start request to the TACACS+ server with no username nor
password.
• TACACS+ server replies with TAC_PLUS_AUTHEN_STATUS_GETUSER and a server_msg.
• SR OS displays the server_msg, and collects the user name.
• SR OS sends a continue message with the user name.
• TACACS+ server replies with TAC_PLUS_AUTHEN_STATUS_GETPASS and a server_msg.
• SR OS displays the server_msg (which may contain, for example, an S/Key for One Time Pass-
word operation), and collects the password.
• SR OS sends a continue message with the password.
• TACACS+ server replies with PASS or FAIL.
When interactive-authentication is disabled SR OS will send the username and password in the
tacplus start message. An example flow (e.g. with a telnet connection) is as follows:
• TAC_PLUS_AUTHEN_TYPE_ASCII.
→ the login username in the “user” field.
→ the password in the user_msg field (note: this is non-standard but doesn’t cause
interoperability problems).
• TACACS+ server ignores the password and replies with TAC_PLUS_AUTHEN_STA-
TUS_GETPASS.
• SR OS sends a continue packet with the password in the user_msg field.
• TACACS+ server replies with PASS or FAIL.
To Next Page
Loading...
