The ASA supports TACACS+ server authentication with the following protocols: ASCII, PAP, CHAP, and MS-CHAPv1.
Using TACACS+ Attributes
The ASA provides support for TACACS+ attributes. TACACS+ attributes separate the functions of authentication, authorization, and accounting. The protocol supports two types of attributes: mandatory and optional. Both the server and client must understand a mandatory attribute, and the mandatory attribute must be applied to the user. An optional attribute may or may not be understood or used.
NoteTo use TACACS+ attributes, make sure that you have enabled AAA services on the NAS.
If you want to use a TACACS+ server for authentication, authorization, or accounting, you must first create at least one TACACS+ server group and add one or more servers to each group. You identify TACACS+ server groups by name.
To add a TACACS+ server group, perform the following steps:
Specifies the maximum number of requests sent to a AAA server in the group before trying the next server. The number argument can range from 1 and 5. The default is 3.
If you configured a fallback method using the local database (for management access only), and all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for a period of 10 minutes (by default), so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the next step.
If you do not have a fallback method, the ASA continues to retry the servers in the group.
Specifies the method (reactivation policy) by which failed servers in a group are reactivated.
The depletion keyword reactivates failed servers only after all of the servers in the group are inactive.
The deadtime minutes keyword-argument pair specifies the amount of time in minutes, between 0 and 1440, that elapses between the disabling of the last server in the group and the subsequent reenabling of all servers. The default is 10 minutes.
The timed keyword reactivates failed servers after 30 seconds of down time.
Identifies the TACACS+ server and the server group to which it belongs.
When you enter the aaa-server host command, you enter aaa-server host configuration mode.
ciscoasa(config-aaa-server-host)# timeout 15
Specifies the length of time, in seconds, that the ASA waits for a response from the primary server before sending the request to the backup server.
ciscoasa(config-aaa-server-host)# server-port 49
Specifies the server port as port number 49, or the TCP port number used by the ASA to communicate with the TACACS+ server.
Specifies the server secret value used to authenticate the NAS to the TACACS+ server. This value is a case-sensitive, alphanumeric keyword of up to 127 characters, which is the same value as the key on the TACACS+ server. Any characters over 127 are ignored. The key is used between the client and the server to encrypt data between them and must be the same on both the client and server systems. The key cannot contain spaces, but other special characters are allowed.
Monitoring TACACS+ Servers
To monitor TACACS+ servers,enter one of the following commands:
Shows the configured TACACS+ server statistics.
To clear the TACACS+ server configuration, enter the clear aaa-server statistics command.
show running-config aaa-server
Shows the TACACS+ server running configuration.
To clear TACACS+ server statistics, enter the clear configure aaa-server command.
Feature History for TACACS+ Servers
Table 35-3 lists each feature change and the platform release in which it was implemented.
Table 35-3 Feature History for TACACS+ Servers
Describes how to configure TACACS+ servers for AAA.