Tacacs+ Parameters; About Tacacs; Functions Of The Aaa Services - Digi TransPort WR31 User Manual

Configure security settings

TACACS+ parameters

The Digi TransPort range of routers supports Terminal Access Controller Access-Control System
Plus (TACACS+) for controlling access to the router.

About TACACS

TACACS+ provides authentication, authorization and accounting (AAA) services. You can use
TACACS+ to control the following access methods:
Secured asynchronous serial (ASY) ports
▪
Telnet
▪
SSH
▪
FTP
▪
HTTP/HTTPS
▪
SNMP
▪
When any sort of request is performed by the TACACS+ client, the client first checks to see if a socket
to the server (primary or backup) is already open. If a socket is already open, the router uses that
socket for the TACACS+ request. If no socket is open, the primary server is tried first. If the primary
server socket fails to open, the backup server will be tried. Regardless of whether the primary or
backup socket connected, the primary server is always tried first on the next connection attempt.
Once the connection to the TACACS+ server opens, all pending requests are sent to the TACACS+
server.
If a connection to the TACACS+ server is not possible due to network or server problems, all requests
by applications are denied.

Functions of the AAA services

If TACACS+ authentication is enabled, the request is sent to the TACACS+ server. If disabled, the
router performs the authentication. At this point authorization is also performed. If TACACS+
authorization is disabled, the user access level is obtained from the local user table on the router. If
TACACS+ authorization is enabled, an authorization request is sent to the TACACS+ server. The
server returns a privilege level and may also return other attributed such as a new idle time for this
session, which takes precedence over locally configured values.
When the user has been authenticated and access has been authorized, the login is allowed. If the
connection is via telnet or SSH, a welcome message showing the access level and the method of
authentication is displayed. If the access level was assigned locally the following message is
displayed:
Welcome. Your access level is SUPER
If the access level was assigned by the TACACS+ server, the following message is displayed:
Welcome. Your access level is obtained remotely
If accounting is enabled, session start and stop messages are sent to the TACACS+ server when the
session opens and closes. During the session, details of commands executed and denied due to
access level control will be sent to the TACACS+ server. At the end of the session the stop message is
sent to the TACACS+ server with the elapsed session time included.
Digi TransPort WR Routers User Guide
TACACS+ parameters
722