Table of Contents
Advertisement
Privilege Authentication
Login Authorization
Accounting
Copyright © 2010, Juniper Networks, Inc.
TACACS+ might challenge the user to provide username, password, passcode, or other
information. Once the requested information is entered, TACACS+ sends a Continue
packet over the existing connection. The TACACS+ host sends a Reply packet. Once the
authentication is complete, the connection is closed. Only three login retries are allowed.
To enable login authentication through both TACACS+ and RADIUS servers, use the aaa
new-model command to specify AAA authentication for Telnet sessions.
The privilege authentication process determines whether a user is allowed to use
commands at a particular privilege level. This authentication process is handled similarly
to login authentication, except that the user is limited to one authentication attempt. An
empty reply to the challenge forces an immediate access denial. The aaa authentication
enable default command allows you to set privilege authentication for users.
To allow login authorization through the TACACS+ server, you can use the following
commands: aaa authorization, aaa authorization config-commands, and authorization.
For information about using these commands, see the Passwords and Security chapter
in JunosE System Basics Configuration Guide.
The TACACS+ accounting service enables you to create an audit trail of User Exec sessions
and command-line interface (CLI) commands that have been executed within these
sessions. For example, you can track user CLI connects and disconnects, when
configuration modes have been entered and exited, and which configuration and
operational commands have been executed.
You configure TACACS+ accounting in the JunosE Software by defining accounting
method lists and then associating consoles and lines with the method lists. You define
an accounting method list with a service type, name, accounting mode, and method:
service type—Specifies the type of information being recorded
name—Uniquely identifies an accounting method list within a service type
accounting mode—Specifies what type of accounting records will be generated
method—Specifies the protocol for sending the accounting records to a security server
You can then configure consoles and lines with an accounting method list name for each
service type:
Method list—A specified configuration that defines how the NAS performs the AAA
accounting service. A service type can be configured with multiple method lists with
different names, and a method list name can be used for different service types. Initially,
no accounting method list is defined; therefore TACACS+ accounting is disabled.
Default method list—Configuration used by consoles and lines when no named
method list is assigned. You enable TACACS+ accounting by defining default
accounting method lists for each service type.
Chapter 9: Configuring TACACS+
313
Advertisement
Table of Contents
Troubleshooting
