1-38
Cisco ASA Series CLI Configuration Guide
 
Appendix 1      Configuring an External Server for Authorization and Authentication
  Configuring an External TACACS+ Server
Configuring an External TACACS+ Server
The ASA provides support for TACACS+ attributes. TACACS+ separates the functions of 
authentication, authorization, and accounting. The protocol supports two types of attributes: mandatory 
and optional. Both the server and client must understand a mandatory attribute, and the mandatory 
attribute must be applied to the user. An optional attribute may or may not be understood or used. 
Note To use TACACS+ attributes, make sure that you have enabled AAA services on the NAS.
Table 1-10 lists supported TACACS+ authorization response attributes for cut-through-proxy 
connections. Table 1-11 lists supported TACACS+ accounting attributes.
ACCT_DISC_ADMIN_RESET = 6
ACCT_DISC_ADMIN_REBOOT = 7
ACCT_DISC_PORT_ERROR = 8
ACCT_DISC_NAS_ERROR = 9
ACCT_DISC_NAS_REQUEST = 10
ACCT_DISC_NAS_REBOOT = 11
ACCT_DISC_PORT_UNNEEDED = 12
ACCT_DISC_PORT_PREEMPTED = 13
ACCT_DISC_PORT_SUSPENDED = 14
ACCT_DISC_SERV_UNAVAIL = 15
ACCT_DISC_CALLBACK = 16
ACCT_DISC_USER_ERROR = 17
ACCT_DISC_HOST_REQUEST = 18
ACCT_DISC_ADMIN_SHUTDOWN = 19
ACCT_DISC_SA_EXPIRED = 21
ACCT_DISC_MAX_REASONS = 22
Table 1-9
Disconnect Reason Code
Table 1-10 Supported TACACS+ Authorization Response Attributes
 Attribute Description
acl Identifies a locally configured access list to be applied to the connection.
idletime Indicates the amount of inactivity in minutes that is allowed before the 
authenticated user session is terminated.
timeout Specifies the absolute amount of time in minutes that authentication credentials 
remain active before the authenticated user session is terminated.