System Settings
Operation
TACACS+ is a secure, encrypted protocol. By remotely accessing TACACS+ servers that are provisioned
with the administrative user account database, the ASR 5000 can provide TACACS+ AAA services for system
administrative users. TACACS+ is an enhanced version of the TACACS protocol that uses TCP instead of
UDP.
The ASR 5x00 system serves as the TACACS+ Network Access Server (NAS). As the NAS the system
requests TACACS+ AAA services on behalf of authorized system administrative users. For the authentication
to succeed, the TACACS+ server must be in the same local context and network accessed by the system.
The system supports TACACS+ multiple-connection mode. In multiple-connection mode, a separate and
private TCP connection to the TACACS+ server is opened and maintained for each session. When the
TACACS+ session ends, the connection to the server is terminated.
TACACS+ is a system-wide function on the ASR 5x00. TACACS+ AAA service configuration is performed
in TACACS Configuration Mode. Enabling the TACACS+ function is performed in the Global Configuration
Mode. The system supports the configuration of up to three TACACS+ servers.
Once configured and enabled on the system, TACACS+ authentication is attempted first. By default, if
TACACS+ authentication fails, the system then attempts to authenticate the user using non-TACACS+ AAA
services, such as RADIUS.
Important
User Account Requirements
Before configuring TACACS+ AAA services, note the following TACACS+ server and StarOS user account
provisioning requirements.
TACACS+ User Account Requirements
The TACACS+ server must be provisioned with the following TACACS+ user account information:
• A list of known administrative users.
• The plain-text or encrypted password for each user.
• The name of the group to which each user belongs.
• A list of user groups.
• TACACS+ privilege levels and commands that are allowed/denied for each group.
For releases after 15.0 MR4, TACACS+ accounting (CLI event logging) will not be generated for Lawful
Intercept users with privilege level set to 15 and 13.
ASR 5000 System Administration Guide, StarOS Release 21.1
Operation
55