Foundry Networks Switch and Router Installation And Configuration Manual page 84

Foundry Switch and Router Installation and Configuration Guide
When TACACS+ command authorization takes place, the following events occur:
1. A Telnet, SSH, or Web management interface user previously authenticated by a TACACS+ server enters a
command on the Foundry device.
2. The Foundry device looks at its configuration to see if the command is at a privilege level that requires
TACACS+ command authorization.
3. If the command belongs to a privilege level that requires authorization, the Foundry device consults the
TACACS+ server to see if the user is authorized to use the command.
4. If the user is authorized to use the command, the command is executed.
TACACS+ Accounting
TACACS+ accounting works as follows:
1. One of the following events occur on the Foundry device:
• A user logs into the management interface using Telnet or SSH
• A user enters a command for which accounting has been configured
• A system event occurs, such as a reboot or reloading of the configuration file
2. The Foundry device checks its configuration to see if the event is one for which TACACS+ accounting is
required.
3. If the event requires TACACS+ accounting, the Foundry device sends a TACACS+ Accounting Start packet to
the TACACS+ accounting server, containing information about the event.
4. The TACACS+ accounting server acknowledges the Accounting Start packet.
5. The TACACS+ accounting server records information about the event.
6. When the event is concluded, the Foundry device sends an Accounting Stop packet to the TACACS+
accounting server.
7. The TACACS+ accounting server acknowledges the Accounting Stop packet.
AAA Operations for TACACS/TACACS+
The following table lists the sequence of authentication, authorization, and accounting operations that take place
when a user gains access to a Foundry device that has TACACS/TACACS+ security configured.
User Action
User attempts to gain access to the
Privileged EXEC and CONFIG levels of
the CLI
3 - 20
Applicable AAA Operations
Enable authentication:
aaa authentication enable default <method-list>
Exec authorization (TACACS+):
aaa authorization exec default tacacs+
System accounting start (TACACS+):
aaa accounting system default start-stop <method-list>
December 2000