Configuring security Use TACACS+ to control access to the router
Digi TransPort® Routers User Guide
805
Use TACACS+ to control access to the router
The Digi TransPort range of routers supports Terminal Access Controller Access-Control System Plus
(TACACS+) for controlling access to the router.
TACACS+ provides authentication, authorization and accounting (AAA) services. You can use TACACS+
to control the following access methods:
n Secured asynchronous serial (ASY) ports
n Telnet
n SSH
n FTP
n HTTP/HTTPS
n SNMP
When any sort of request is performed by the TACACS+ client, the client first checks to see if a socket
to the server (primary or backup) is already open. If a socket is already open, the router uses that
socket for the TACACS+ request. If no socket is open, the primary server is tried first. If the primary
server socket fails to open, the backup server will be tried. Regardless of whether the primary or
backup socket connected, the primary server is always tried first on the next connection attempt.
Once the connection to the TACACS+ server opens, all pending requests are sent to the TACACS+
server.
If a connection to the TACACS+ server is not possible due to network or server problems, all requests
by applications are denied.
Functions of the AAA services
If TACACS+ authentication is enabled, the request is sent to the TACACS+ server. If disabled, the
router performs the authentication. At this point authorization is also performed. If TACACS+
authorization is disabled, the user access level is obtained from the local user table on the router. If
TACACS+ authorization is enabled, an authorization request is sent to the TACACS+ server. The server
returns a privilege level and may also return other attributed such as a new idle time for this session,
which takes precedence over locally configured values.
When the user has been authenticated and access has been authorized, the login is allowed. If the
connection is via telnet or SSH, a welcome message showing the access level and the method of
authentication is displayed. If the access level was assigned locally the following message is displayed:
Wel come. Your access l evel i s SUPER
If the access level was assigned by the TACACS+ server, the following message is displayed:
Wel come. Your access l evel i s obt ai ned r emot el y
If accounting is enabled, session start and stop messages are sent to the TACACS+ server when the
session opens and closes. During the session, details of commands executed and denied due to access
level control will be sent to the TACACS+ server. At the end of the session the stop message is sent to
the TACACS+ server with the elapsed session time included.
To Next Page
Loading...
