Configuring Tacacs+ For Non-Local Vpn Authentication; Verifying The Tacacs+ Configuration - Cisco ASR 5500 Administration Manual

System Settings

Configuring TACACS+ for Non-local VPN Authentication

By default TACACS+ authentication is associated with login to the local context. TACACS+ authentication
can also be configured for non-local context VPN logins. TACACS+ must configured and enabled with the
option described below.
A stop keyword option is available for the TACACS+ Configuration mode on-unknown-user command. If
TACACS+ is enabled with the command-keyword option, the VPN context name into which the user is
attempting a login must match the VPN name specified in the username string. If the context name does not
match, the login fails and exits out.
Without this option the login sequence will attempt to authenticate in another context via an alternative login
method. For example, without the on-unknown-user stop configuration, an admin account could log into
the local context via the non-local VPN context. However, with the on-unknown-user stop configuration,
the local context login would not be attempted and the admin account login authentication would fail.
configure
tacacs mode
on-unkown-user stop ?
end

Verifying the TACACS+ Configuration

This section describes how to verify the TACACS+ configuration.
Log out of the system CLI, then log back in using TACACS+ services.
Important
At the Exec Mode prompt, enter the following command:
show tacacs [ client | priv-lvl | session | summary ]
The output of the show tacacs commands provides summary information for each active TACACS+ session
such as username, login time, login status, current session state and privilege level. Optional filter keywords
provide additional information.
An example of this command's output is provided below. In this example, a system administrative user named
asradmin has successfully logged in to the system via TACACS+ AAA services.
active session #1:
login username
login tty
time of login
login server priority
current login status
current session state
current privilege level
remote client application
remote client ip address
last server reply status
total TACACS+ sessions
Once TACACS+ AAA services are configured and enabled on the ASR 5x00, the system first will try to
authenticate the administrative user via TACACS+ AAA services. By default, if TACACS+ authentication
fails, the system then continues with authentication using non-TACACS+ AAA services.
Configuring TACACS+ for Non-local VPN Authentication
: asradmin
: /dev/pts/1
: Fri Oct 22 13:19:11 2011
: 1
: pass
: user login complete
: 15
: ssh
: 111.11.11.11
: -1
: 1
ASR 5500 System Administration Guide, StarOS Release 19
47