Associating An Sftp Root Directory With A Config Administrator; Configuring Tacacs+ For System Administrative Users; Operation - Cisco ASR 5500 System Administration Manual
Hide thumbs
Also See for ASR 5500:
- Administration manual (410 pages) ,
- Installation manual (192 pages) ,
- Installation procedure overview (6 pages)
Table of Contents
Advertisement
Configuring TACACS+ for System Administrative Users
Associating an SFTP root Directory with a Config Administrator
The config-administrator command allows an administrator to associate an SFTP root directory with a specified
configuration administrator.
configure
context local
Configuring TACACS+ for System Administrative Users
This section describes TACACS+ (Terminal Access Controller Access Control System+) AAA (Authentication
Authorization and Accounting) service functionality and configuration on the .
Operation
TACACS+ is a secure, encrypted protocol. By remotely accessing TACACS+ servers that are provisioned
with the administrative user account database, the system can provide TACACS+ AAA services for system
administrative users. TACACS+ is an enhanced version of the TACACS protocol that uses TCP instead of
UDP.
The system serves as the TACACS+ Network Access Server (NAS). As the NAS the system requests TACACS+
AAA services on behalf of authorized system administrative users. For the authentication to succeed, the
TACACS+ server must be in the same local context and network accessed by the system.
The system supports TACACS+ multiple-connection mode. In multiple-connection mode, a separate and
private TCP connection to the TACACS+ server is opened and maintained for each session. When the
TACACS+ session ends, the connection to the server is terminated.
TACACS+ is a system-wide function on the . TACACS+ AAA service configuration is performed in TACACS
Configuration Mode. Enabling the TACACS+ function is performed in the Global Configuration Mode. The
system supports the configuration of up to three TACACS+ servers.
Once configured and enabled on the system, TACACS+ authentication is attempted first. By default, if
TACACS+ authentication fails, the system then attempts to authenticate the user using non-TACACS+ AAA
services, such as RADIUS.
It is possible to configure the maximum number of simulations CLI sessions on a per account or per
authentication method basis. It will protect certain accounts that may have the ability to impact security
configurations and attributes or could adversely affect the services, stability and performance of the system.
The maximum number of simultaneous CLI sessions is configurable when attempting a new TACACS+ user
login. The recommendation is to use the max-sessions feature is through the TACACS+ server attribute option
maxsess. The second way is though the StarOS CLI configuration mode TACACS+ mode using the maxsess
keyword in the user-id command. If the maximum number of sessions is set to 0, then the user is authenticated
regardless of the login type. When the CLI task starts, a check is complete to identify the count. In this case,
the CLI determines that the sessions for that user is 1 which is greater than 0 and it will display an error
message in the output, it generate starCLIActiveCount and starCLIMaxCount SNMP MIB Objects and
starGlobalCLISessionsLimit and starUserCLISessionsLimit SNMP MIB Alarms.
ASR 5500 System Administration Guide, StarOS Release 21.5
40
administrator user_name password password ftp sftp-server sftp_name
exit
config-administrator user_name password password ftp sftp-server sftp_name
exit
System Settings
Advertisement
Table of Contents
Troubleshooting
