User's Manual 9. CLI-Based Management
Version 6.8 87 Mediant 500L MSBR
9.8 Configuring TACACS+ for CLI Login
This section describes how to enable and configure Terminal Access Controller Access-
Control System (TACACS+). TACACS+ is a security protocol for centralized username and
password verification. TACACS+ can be used for validating users attempting to gain
access to the device through CLI. TACACS+ services are maintained on a database on a
TACACS+ daemon.
You must have access to and must configure a TACACS+ server before configuring
TACACS+ on your device.
TACACS+ can provide the following services:
Authentication: provides authentication through login and password dialog
Authorization: manages user capabilities for the duration of the user's session by
placing restrictions on what commands a user may execute
Accounting: collects and sends information for auditing and reporting to the TACACS+
daemon
The TACACS+ protocol provides authentication between the device and the TACACS+
daemon, and it ensures confidentiality as all protocol exchanges between a network
access server and a TACACS+ daemon are encrypted. You need a system running
TACACS+ daemon software to use the TACACS+ functionality on your network access
server.
When a user attempts a simple ASCII login by authenticating to a network access server
using TACACS+, the following typically occurs:
1. When the connection is established, the network access server contacts the
TACACS+ daemon to obtain a username prompt, which is then displayed to the user.
The user enters a username and the network access server then contacts the
TACACS+ daemon to obtain a password prompt. The network access server displays
the password prompt to the user, the user enters a password, and the password is
then sent to the TACACS+ daemon.
2. The network access server eventually receives one of the following responses from
the TACACS+ daemon:
• ACCEPT: The user is authenticated and service may begin. If the network access
server is configured to require authorization, authorization will begin at this time.
• REJECT: The user has failed to authenticate. The user may be denied further
access.
• ERROR: An error occurred at some time during authentication. This can be at the
daemon or in the network connection between the daemon and the network
access server. If an ERROR response is received, the device typically attempts
to use an alternative method for authenticating the user.
3. If TACACS+ authorization is needed, the TACACS+ daemon is again contacted for
each CLI command entered by the user, and it returns an ACCEPT or REJECT
authorization response. If an ACCEPT response is returned, the CLI command is
allowed; otherwise, it is rejected.
To configure TACACS+ in the CLI, use the following commands:
To enable TACACS+:
(config-data)# aaa authentication login tacacs+
To configure the IP address of the TACACS+ server (up to two servers can be
configured):
(config-data)# tacacs-server host <IP address>
To configure the TCP port number for the TACACS+ service:
(config-data)# tacacs-server port <port>
To Next Page
Loading...
