Security
7705 SAR OS System Management Guide Page 33
TACACS+ Authorization
Like RADIUS authorization, TACACS+ grants or denies access permissions for a
7705 SAR router. The TACACS+ server sends a response based on the user name and
password.
TACACS+ separates the authentication and authorization functions. RADIUS combines the
authentication and authorization functions.
Accounting
Accounting tracks user activity to a specific host. The 7705 SAR supports RADIUS and
TACACS+ accounting.
RADIUS Accounting
When enabled, RADIUS accounting sends command line accounting from the 7705 SAR
router to the RADIUS server. The router sends accounting records using UDP packets at
port 1813 (decimal).
The router issues an accounting request packet for each event requiring the activity to be
recorded by the RADIUS server. The RADIUS server acknowledges each accounting
request by sending an accounting response after it has processed the accounting request. If
no response is received in the time defined in the timeout parameter, the accounting request
must be retransmitted until the configured retry count is exhausted. A trap is issued to alert
the NMS (or trap receiver) that the server is unresponsive. The router issues the accounting
request to the next configured RADIUS server (up to 5).
User passwords and authentication keys of any type are never transmitted as part of the
accounting request.
When RADIUS accounting is enabled, the server is responsible for receiving accounting
requests and returning a response to the client indicating that it has successfully received the
request. Each command issued on the 7705 SAR router generates a record sent to the
RADIUS server. The record identifies the user who issued the command and the timestamp.
Accounting can be configured independently from RADIUS authorization and RADIUS
authentication.
To Next Page
Loading...
