Installation & Operation Manual 378 Document # LTRT-92224
Mediant 8000
Authentication and Authorization Responses, received from the TACACS+ server,
determine whether the login is allowed or not. If the Authorization Response contains
priv-lvl AV-pair, it will be used to determine the "privilege level" of the CLI user
(administrator/monitor) according to the table below. Otherwise the CLI administrator
privilege level will be granted.
Priv-lvl Value CLI Privilege Level
0 Monitor
1 – 14 Administrator
15
For root username - super-user (the only
supported option);
For others - administrator
Upon successful Authentication and Authorization Responses, user credentials are
"cached" in the local user database on SC boards. This "cache" allows access to the
CLI interface in emergency cases when communication with TACACS+ servers is
impossible (e.g. due to the network outage). Local "cache" entries have limited lifetime
(configurable via AAA Cache Password Expiration parameter) – after which they are
invalidated.
33.18.6.1.3 Working With TACACS+ Server : Command Execution
When the user enters a command in the Mediant 8000 CLI interface, Authorization
and Accounting requests are sent towards the TACACS+ server.
Authorization Request is sent for all Media Gateway specific CLI commands (e.g.
show or tpCmd); however not for generic OS commands (e.g. ls). Authorization
Response, received from the TACACS+ server, determines whether specific
command execution is allowed or not.
Authorization Request includes the following AV-pairs:
service = "shell"
cmd = <command> (e.g. show)
cmd-arg = <arguments>" (e.g. moBoard#6)
Multiple cmd-arg elements may be included according to the number of command
arguments provided by the user. To simplify the processing of Authorization Requests
by the TACACS+ server, commands entered by the user are automatically expanded.
For example, if command "sh br#8" is entered, the corresponding expanded
command "show moBoard#8" is sent instead.
Accounting Requests are sent for all activity performed on the Media Gateway’s CLI
interface (i.e. both for Media Gateway’s specific commands – e.g. show – and for
generic OS commands – e.g. ls). Two Accounting Requests are generated – one
before the command execution and one immediately after.
An Accounting Request sent before the command execution, includes the following
AV-pairs:
start_time = <start time> (in seconds since 1/1/1970)
cmd = <command> (e.g. show)
To Next Page
Loading...
