Table of Contents
Advertisement
2.30 TACACS+ Function
TACACS+ function is a function which manages the AAA (Authentication, Authorization, Accounting)
information by using external server (TACACS+ server). When same AAA information is required for multiple
devices or when maximum user information is managed, Authentication, Authorization and Accounting
information is summarized and can be managed. This device supports the user authentication function and
command authorization function of TACACS+ client function. User authentication function means,
authentication is processed when access user is logged in this device. Command authorization function means,
authorization is processed when access user executes the command provided of this device.
Backup configuration or load sharing configuration by using TACACS+ server of multiple device is possible for
TACACS+ client function.
The meaning of each status is as follows.
alive status
It is a status wherein the server is available.
Used by assigning from the higher (Definition value is smaller) priority server.
When multiple servers of the same priority exist, the server is selected randomly.
dead status
It is a status wherein the usage of server stops temporarily due to TCP connection failure of server or when
request of server is timeout. Additionally, when server of 'alive' status exists, defined priority value is not used.
When the time specified in restoration standby time is elapsed, it automatically restores in 'alive' status. When
all servers are in 'dead' status at the time of authentication or authorization, take a trial randomly by 1 server
and the server from which response is acquired is restored in 'alive' status.
Points to be noted
Accounting function of TACACS+ client function is not supported.
Unable to use simultaneously with RADIUS client function. When both the RADIUS client function (aaa radius)
and TACACS+ client function (aaa tacacsp) are defined in AAA group, TACACS+ client function is disabled.
When both the TACACS+ client function and user information (aaa user) are defined in AAA group,
authentication is done by TACACS+ client function. If the authentication by TACACS+ client function is failed,
authentication by user information is also not done.
When definition of shared key for TACACS+ server is omitted, authenticated and authorized data is not
encrypted. When authenticated and authorized data is encrypted, define the shared key.
TACACS+ command authorization function is enabled only when it is logged in by using the TACACS+ user
authentication function.
Authority class at the time of TACACS+ user authentication depends on the existence of manager password
(password admin set) settings.
TACACS+ command authorization function is not operated in Web settings and FTP/SFTP.
Settings of authorization related to the commands which are actually executed by TACACS+ command
authorization function and other commands are shown below.
Executed commands
show tech-support
save
load
Authority class at the time of authentication by existence of manager password is shown below.
<When manager password does not exists>
Only the general user class is authenticated.
<When manager password exists>
Manager class is authenticated. When authentication is failed, general user class is authenticated.
Commands which requires authorization settings
diff show running-config(When diff executes along with
running-config)
show(All show commands)
show(All show commands)
All configured definition command
Page 65 of 71
Advertisement
Table of Contents
