Configuring Tacacs+ For System Administrative Users - Cisco ASR 5000 Series Administration Manual
Staros release 21.4
Hide thumbs
Also See for ASR 5000 Series:
- Product overview (992 pages) ,
- Installation manual (317 pages) ,
- Administration manual (234 pages)
Table of Contents
Advertisement
Configuring TACACS+ for System Administrative Users
Configuring TACACS+ for System Administrative Users
This section describes TACACS+ (Terminal Access Controller Access Control System+) AAA (Authentication
Authorization and Accounting) service functionality and configuration on the ASR 5500.
Operation
TACACS+ is a secure, encrypted protocol. By remotely accessing TACACS+ servers that are provisioned
with the administrative user account database, the ASR 5500 system can provide TACACS+ AAA services
for system administrative users. TACACS+ is an enhanced version of the TACACS protocol that uses TCP
instead of UDP.
The system serves as the TACACS+ Network Access Server (NAS). As the NAS the system requests TACACS+
AAA services on behalf of authorized system administrative users. For the authentication to succeed, the
TACACS+ server must be in the same local context and network accessed by the system.
The system supports TACACS+ multiple-connection mode. In multiple-connection mode, a separate and
private TCP connection to the TACACS+ server is opened and maintained for each session. When the
TACACS+ session ends, the connection to the server is terminated.
TACACS+ is a system-wide function on the ASR 5500. TACACS+ AAA service configuration is performed
in TACACS Configuration Mode. Enabling the TACACS+ function is performed in the Global Configuration
Mode. The system supports the configuration of up to three TACACS+ servers.
Once configured and enabled on the system, TACACS+ authentication is attempted first. By default, if
TACACS+ authentication fails, the system then attempts to authenticate the user using non-TACACS+ AAA
services, such as RADIUS.
It is possible to configure the maximum number of simulations CLI sessions on a per account or per
authentication method basis. It will protect certain accounts that may have the ability to impact security
configurations and attributes or could adversely affect the services, stability and performance of the system.
The maximum number of simultaneous CLI sessions is configurable when attempting a new TACACS+ user
login. The recommendation is to use the max-sessions feature is through the TACACS+ server attribute option
maxsess. The second way is though the StarOS CLI configuration mode TACACS+ mode using the maxsess
keyword in the user-id command. If the maximum number of sessions is set to 0, then the user is authenticated
regardless of the login type. When the CLI task starts, a check is complete to identify the count. In this case,
the CLI determines that the sessions for that user is 1 which is greater than 0 and it will display an error
message in the output, it generate starCLIActiveCount and starCLIMaxCount SNMP MIB Objects and
starGlobalCLISessionsLimit and starUserCLISessionsLimit SNMP MIB Alarms.
The max-sessions TACACS+ Configuration Mode command configures the maximum number of sessions
available for TACACS+. Also the default option for the user-id TACACS+ Configuration Mode command
configures the default attributes for a specific TACACS+ user identifier. Refer to the Command Line Interface
Reference for detailed information about these commands.
Important
ASR 5500 System Administration Guide, StarOS Release 21.4
60
The user can define the maximum number of simulations CLI sessions available in both the StarOS and
TACACS+ server configuration. However, this option is extremely discouraged.
System Settings
Advertisement
Table of Contents
Troubleshooting
