User Account Requirements - Cisco ASR 5000 Series Administration Manual

System Settings
Important

User Account Requirements

Before configuring TACACS+ AAA services, note the following TACACS+ server and StarOS user account
provisioning requirements.
TACACS+ User Account Requirements
The TACACS+ server must be provisioned with the following TACACS+ user account information:
• A list of known administrative users.
• The plain-text or encrypted password for each user.
• The name of the group to which each user belongs.
• A list of user groups.
• TACACS+ privilege levels and commands that are allowed/denied for each group.
Important
To display the default mapping of TACACS+ privilege levels to CLI administrative roles, run the Exec mode
show tacacs priv-lvl command. The default mapping varies based on the StarOS release and build type.
TACACS+ priv-levels can be reconfigured from their default StarOS authorization values via the TACACS+
Configuration mode priv-lvl and user-id commands. For additional information, see the TACACS+
Configuration Mode Commands chapter of the Command Line Interface Reference.
Important
StarOS User Account Requirements
TACACS+ users who are allowed administrative access to the system must have the following user account
information defined in StarOS:
• username
• password
• administrative role and privileges
For releases after 15.0 MR4, TACACS+ accounting (CLI event logging) will not be generated for Lawful
Intercept users with privilege level set to 15 and 13.
TACACS+ privilege levels are stored as Attribute Value Pairs (AVPs) in the network's TACACS+ server
database. Users are restricted to the set of commands associated with their privilege level. A mapping of
TACACS+ privilege levels to StarOS CLI administrative roles and responsibilities is provided in the table
below.
In release 20.0 and higher Trusted StarOS builds, FTP is not supported.
ASR 5500 System Administration Guide, StarOS Release 21.4
User Account Requirements
61