Configuring Tacacs+ For Non-Local Vpn Authentication; Verifying The Tacacs+ Configuration - Cisco ASR 5000 Administration Manual
Staros release 21.1
Hide thumbs
Also See for ASR 5000:
- Installation manual (294 pages) ,
- Administration manual (159 pages) ,
- Installation procedure (8 pages)
Table of Contents
Advertisement
System Settings
Note:
• server priority priority_number: Must be an integer from 1 to 3 (releases prior to 18.2) or 1 through
• ip-address: Must be the IPv4 address of a valid TACACS+ server that will be used for authenticating
• By default, the TACACS+ configuration will provide authentication, authorization, and accounting
Enable TACACS+ on the ASR 5x00:
configure
aaa tacacs+
end
Save the configuration as described in the Verifying and Saving Your Configuration chapter.
Important
Configuring TACACS+ for Non-local VPN Authentication
By default TACACS+ authentication is associated with login to the local context. TACACS+ authentication
can also be configured for non-local context VPN logins. TACACS+ must configured and enabled with the
option described below.
A stop keyword option is available for the TACACS+ Configuration mode on-unknown-user command. If
TACACS+ is enabled with the command-keyword option, the VPN context name into which the user is
attempting a login must match the VPN name specified in the username string. If the context name does not
match, the login fails and exits out.
Without this option the login sequence will attempt to authenticate in another context via an alternative login
method. For example, without the on-unknown-user stop configuration, an admin account could log into
the local context via the non-local VPN context. However, with the on-unknown-user stop configuration,
the local context login would not be attempted and the admin account login authentication would fail.
configure
tacacs mode
on-unkown-user stop ?
end
Verifying the TACACS+ Configuration
This section describes how to verify the TACACS+ configuration:
Log out of the system CLI, then log back in using TACACS+ services.
4 (releases 18.2+), that specifies the order in which this TACACS+ server will be tried for TACACS+
authentication. 1 is the highest priority, and 3 or 4 is the lowest. The priority number corresponds to a
configured TACACS+ server.
administrative users accessing this system via TACACS+ AAA services.
services.
For complete information on all TACACS+ Configuration Mode commands and options, refer to the
TACACS Configuration Mode Commands chapter of the Command Line Reference.
Configuring TACACS+ for Non-local VPN Authentication
ASR 5000 System Administration Guide, StarOS Release 21.1
57
Advertisement
Table of Contents
Troubleshooting
