Cisco SCE8000 Configuration Manual page 75

Chapter 5 Configuring the Management Interface and Security
The TACACS+ protocol provides the following three features:
Login authentication
•
Privilege level authorization
•
Accounting
•
Login Authentication
The SCE platform uses the TACACS+ ASCII authentication message for CLI, Telnet and SSH access.
TACACS+ allows an arbitrary conversation to be held between the server and the user until the server
receives enough information to authenticate the user. This is usually done by prompting for a username
and password combination.
The login and password prompts may be provided by the TACACS+ server, or if the TACACS+ server
does not provide the prompts, then the local prompts will be used.
The user log in information (user name and password) is transmitted to the TACACS+ server for
authentication. If the TACACS+ server indicates that the user is not authenticated, the user will be
re-prompted for the user name and password. The user is re-prompted a user-configurable number of
times, after which the failed login attempt is recorded in the SCE platform user log and the telnet session
is terminated (unless the user is connected to the console port.)
The SCE platform will eventually receive one of the following responses from the TACACS+ server:
ACCEPT – The user is authenticated and service may begin.
•
REJECT – The user has failed to authenticate. The user may be denied further access, or will be
•
prompted to retry the login sequence depending on the TACACS+ server.
ERROR – An error occurred at some time during authentication. This can be either at the server or
•
in the network connection between the server and the SCE platform. If an ERROR response is
received, the SCE platform will try to use an alternative method\server for authenticating the user.
CONTINUE – The user is prompted for additional authentication information.
•
If the server is unavailable, the next authentication method is attempted, as explained in
Fallback and Recovery Mechanism, page
Accounting
The TACACS+ accounting supports the following functionality:
Each executed command (the command must be a valid one) will be logged using the TACACS+
•
accounting mechanism (including login and exit commands).
The command is logged both before and after it is successfully executed.
•
Each accounting message contains the following:
•
–
–
–
–
TACACS+ accounting is in addition to normal local accounting using the SCE platform dbg log.
Privilege Level Authorization
After a successful login the user is granted a default privilege level of 0, giving the user the ability to
execute a limited number of commands. Changing privilege level is done by executing the "enable"
command. This command initiates the privilege level authorization mechanism.
OL-16479-01
User name
Current time
Action performed
Command privilege level
5-8.
Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S
Configuring the Available Interfaces
General AAA
5-7