Configuring TACACS+ for CLI Login
The device supports Terminal Access Controller Access-Control System (TACACS+). TACACS+ is a security protocol for centralized username and password verification. TACACS+ can be used for validating users attempting to gain access to the device through CLI. TACACS+ services are maintained on a database on a TACACS+ daemon.
You must have access to and must configure a TACACS+ server before configuring TACACS+ on your device.
TACACS+ can provide the following services:
|
■
|
Authentication: provides authentication through login and password dialog |
|
■
|
Authorization: manages user capabilities for the duration of the user's session by placing restrictions on what commands a user may execute |
|
■
|
Accounting: collects and sends information for auditing and reporting to the TACACS+ daemon |
The TACACS+ protocol provides authentication between the device and the TACACS+ daemon, and it ensures confidentiality as all protocol exchanges between a network access server and a TACACS+ daemon are encrypted. You need a system running TACACS+ daemon software to use the TACACS+ functionality on your network access server.
When a user attempts a simple ASCII login by authenticating to a network access server using TACACS+, the following typically occurs:
|
1.
|
When the connection is established, the network access server contacts the TACACS+ daemon to obtain a username prompt, which is then displayed to the user. The user enters a username and the network access server then contacts the TACACS+ daemon to obtain a password prompt. The network access server displays the password prompt to the user, the user enters a password, and the password is then sent to the TACACS+ daemon. |
|
2.
|
The network access server eventually receives one of the following responses from the TACACS+ daemon: |
|
●
|
ACCEPT: The user is authenticated and service may begin. If the network access server is configured to require authorization, authorization will begin at this time. |
|
●
|
REJECT: The user has failed to authenticate. The user may be denied further access. |
|
●
|
ERROR: An error occurred at some time during authentication. This can be at the daemon or in the network connection between the daemon and the network access server. If an ERROR response is received, the device typically attempts to use an alternative method for authenticating the user. |
|
3.
|
If TACACS+ authorization is needed, the TACACS+ daemon is again contacted for each CLI command entered by the user, and it returns an ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the CLI command is allowed; otherwise, it is rejected. |
To configure TACACS+ in the CLI, use the following commands:
(config-data)# aaa authentication login tacacs+
|
■
|
To configure the address of the TACACS+ server (up to two servers can be configured): |
(config-data)# tacacs-server host <IP address or FQDN>
|
■
|
To configure the TCP port number for the TACACS+ service: |
(config-data)# tacacs-server port <port>
|
■
|
To configure the shared secret between the TACACS+ server and the device: |
(config-data)# tacacs-server key <password>
|
■
|
To configure how much time to wait for a TACACS+ response before failing the authentication: |
(config-data)# tacacs-server timeout <in seconds>
|
■
|
To configure the device's data-router WAN interface through which communication with the TACACS+ server is done: |
(config-data)# tacacs-server source data source-address interface <interface name>