Privilege Authentication; Login Authorization; Accounting - Juniper JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010 Configuration Manual

TACACS+ sets up a TCP connection to the TACACS+ host and sends a Start packet.
The TACACS+ host responds with a Reply packet, which either grants or denies
access, reports an error, or challenges the user.
TACACS+ might challenge the user to provide username, password, passcode, or
other information. Once the requested information is entered, TACACS+ sends a
Continue packet over the existing connection. The TACACS+ host sends a Reply
packet. Once the authentication is complete, the connection is closed. Only three
login retries are allowed.
To enable login authentication through both TACACS+ and RADIUS servers, use the
aaa new-model command to specify AAA authentication for Telnet sessions.

Privilege Authentication

The privilege authentication process determines whether a user is allowed to use
commands at a particular privilege level. This authentication process is handled
similarly to login authentication, except that the user is limited to one authentication
attempt. An empty reply to the challenge forces an immediate access denial. The
aaa authentication enable default command allows you to set privilege
authentication for users.

Login Authorization

To allow login authorization through the TACACS+ server, you can use the following
commands: aaa authorization, aaa authorization config-commands, and
authorization. For information about using these commands, see the Passwords and
Security chapter in JUNOSe System Basics Configuration Guide.

Accounting

The TACACS+ accounting service enables you to create an audit trail of User Exec
sessions and command-line interface (CLI) commands that have been executed
within these sessions. For example, you can track user CLI connects and disconnects,
when configuration modes have been entered and exited, and which configuration
and operational commands have been executed.
You configure TACACS+ accounting in the JUNOSe software by defining accounting
method lists and then associating consoles and lines with the method lists. You define
an accounting method list with a service type, name, accounting mode, and method:
You can then configure consoles and lines with an accounting method list name for
each service type:
service type Specifies the type of information being recorded
name Uniquely identifies an accounting method list within a service type
accounting mode Specifies what type of accounting records will be generated
method Specifies the protocol for sending the accounting records to a security
server
Chapter 9: Configuring TACACS+
313
TACACS+ Overview