TACACS+
26-12 Configuring Security Features
You can also configure TACACS+ to use a single TCP connection for all TACACS+ client requests
to a given TACACS+ server.
Up to 5 TACACS+ servers can be configured, with the index value of 1 having the highest priority.
If you want to change the default timeout value for a specific server or all servers, you must enter
the set tacacs server command using the timeout parameter.
When at least one backup server has been configured and the switch loses contact with the
primary server, the switch will contact the next server in priority. If the switch was trying to
authenticate a user when the connection was lost, or if the default login access (read-only
permissions) had been received, the switch will try to authenticate again.
If a user had already been authenticated and authorized, then the backup server is contacted
without requiring any authentication. The backup server will just authorize or account for the
packets coming in for that user. Since a task ID is associated with each accounting session, if there
is a failover to a backup server, the accounting information will still be associated with the correct
session using the task ID.
When a failover to a backup server occurs, syslog messages are generated containing the reason
for the failure.
TACACS+ Client Functionality
TACACS+ client functionality falls into four basic capabilities:
• Authentication and session authorization
• Command authorization
• Session accounting
• Command accounting
Session Authorization and Accounting
The TACACS+ client is disabled by default. When the TACACS+ client is enabled on an Enterasys
device and a session is initiated, the configured session authorization parameters are sent by the
client to the TACACS+ server. The parameter values must match a service and access level
attribute-value pair configured on the server for the session to be authorized. If the parameter
values do not match, the session is not allowed.
The service name and attribute-value pairs can be any character string, and are determined by
your TACACS+ server configuration.
When session accounting is enabled, the TACACS+ server logs accounting information, such as
start and stop times, IP address of the remote user, and so forth, for each authorized client session.
Command Authorization and Accounting
TACACS+ command authorization and accounting can occur only during a TACACS+ authorized
session.
When command authorization is enabled, the TACACS+ server checks whether each command is
permitted for that authorized session and returns a success or failure for each one. If the
authorization fails, the command is not executed.
When command accounting is enabled, the TACACS+ server logs accounting information, such as
the command string and IP address of the remote user for each command executed during the
session.
To Next Page
Loading...
Need help?
General