To Next Page

To Previous Page

Chapter 29: Security

STANDARD Revision 1.0 C4® CMTS Release 8.3 User Guide

PPP, SLIP, privilege-level change (e.g., entering enable mode), and password change. It employs an unbounded, server-

controlled challenge-response mechanism in which the server may issue any number of challenges to a user prior to

accepting or rejecting a service request. If the server rejects a service request, the client drops the connection. Otherwise,

the client establishes the service parameters (e.g., session timeout, idle timeout, privilege level) as directed by the server

and initiates the service.

Only TACACS+ directly supports authorization for user activities via independent request/response transactions. With

TACACS+, the client forwards each user command along with any associated arguments to the server where the

accept/reject decision is made. On acceptance, the server may add additional arguments to the command line or may even

override the entire argument list. The client is responsible for executing the accepted command with the server-supplied

argument additions or overrides.

TACACS+ supports both shell and command accounting. The client autonomously forwards start-of-service and end-of-

service information to an accounting server. This information can include the number of bytes or packets transmitted or

received, the elapsed time in seconds, the reason for termination, and so on. For shell accounting, successful

authentication represents the start of service and session termination represents the end of service. For command

accounting, successful authorization represents the start of service and command completion represents the end of

service.

TACACS+ Servers and Server Groups

TACACS+ uses TCP/IP for all client/server communication and requires payload encryption via MD5. A TACACS+ client must

be provisioned with server-specific parameters such as IP address, port number, and shared secret. Some network

architectures may require multiple servers for reliability purposes. Other architectures may require independent TACACS+

servers (or server clusters) for each AAA function.

The C4/c CMTS supports six independently configurable TACACS+ servers. The current implementation of TACACS+ has the

following characteristics:

 Configuration information will include the server’s IP addresses, port number, shared secret, and timeout value.

 There is support for three independently configurable TACACS+ server groups. Configuration information must include

the group name and a list of TACACS+ servers belonging to the group.

 A single TACACS+ server may be assigned to multiple server groups. Multiple TACACS+ server groups may share

common backup servers.

 All TACACS+ server and server group configuration information persists across system reboots and power-cycles.

Arris C4C User Manual

Questions and Answers: