Tacacs - Avaya ERS 2500 Technical Configuration Manual

6. TACACS+

The ERS 5000, ERS 4500, and ERS 2500 all support a TACACS+ client. TACACS+ provides
management of users who access the switch through Telnet, serial, and SSHv2 (password
authentication) connections using Transmission Control Protocol (TCP). TACACS+ supports
users only on the CLI interface. Access to SNMP, and Web management are disabled when
TACACS+ is enabled, but, can be re-enabled again once TACACS+ has been enabled.
Unlike RADIUS, which combines authentication and authorization in a user profile, TACACS+
separates both of these functions. The transition is completely transparent to the user. Upon
successful user authentication, the TACACS+ server will provide an access level from 1 to 15 to
the user depending on how you have setup your TACAS+ sever for each user-id. Within each
access level, you can limit the switch commands available to the user. Upon entering a command
by an authenticated user, the command is authorized by the TACACS+ server against the
command list in the user profile. If the command is not in the user profile, the TACACS+ server
will deny the authorization request and in turn, the switch will deny the user command.
Please note, you cannot enable both RADIUS and TACACS+ authentication on the same
interface. However, you can enable RADIUS and TACACS+ on different interfaces; for example,
RADIUS on the serial connection and TACACS+ on the Telnet connection. Also, TACACS+ is
only for administrative users and cannot be used for 802.1x (EAP) users; RADIUS must be used
for 802.1x.
Prompts for log on and password occur prior during the authentication process. If TACACS+ fails
because there are no valid servers, then the username and password are used from the local
database. If TACACS+ or the local database return an access denied packet, then the
authentication process stops. No other authentication methods are attempted.
To enable TACACS+, ether the following command to view the various configurable options:

ERS-Stackable(config)# tacacs ?
Parameters:
accounting
authorization
server
Sub-Commands/Groups:
switch Switch between TACACS+ privilege levels
Users can also change their privilege levels when in configuration mode by issuing the following
command:

ERS-Stackable(config)# tacacs switch level <1-15>
To switch back to the original privilege level, the user need to type in the following command:

ERS-Stackable(config)# tacacs switch back
If you do change access levels, the switch will send out an authentication request using

a user-id of dummy. However, for command authorization, a user-id of $enab<x>$ will
be used where x is in reference to the privilege level.
TACACS+ accounting tracks what the user does
TACACS+ authorization determines what the user is allowed to
do
TACACS+ server's primary/secondary host, shared secret key and
TCP port
Avaya Inc. – External Distribution
avaya.com
26