TACACS+ Configuration
Mode Commands
This chapter
describes all commands available in the TACACS+ Configuration
Mode. TACACS+ (Terminal Access Controller Access-Control
System Plus) is a secure, encrypted protocol. By remotely accessing TACACS+ servers
that are provisioned with the administrative user account database,
the ASR 5000 and ASR 5500 support TACACS+ accounting
and authentication services for system administrative users.
IMPORTANT:
TACACS Configuration
Mode is available in releases 11.0 and later.
IMPORTANT:
The commands or keywords/variables
that are available are dependent on platform type, product version,
and installed license(s).
accounting
Enables the recording
of the start and the stop time each command issued during a TACACS+-authenticated
CLI session.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] accounting { start-stop | command }
no
Disables a configured
TACACS+ accounting setting (either accounting start-stop or accounting command).
{start-stop | command}
Specifies the type
of accounting records to be recorded.
-
start-stop:
Records the time at which the session starts (the time at which
the user passes authentication) and the time at which the user exits.
If a user exits before passing authentication, only a stop time
is recorded.
-
command:
Enables accounting on a command-by-command basis. The TACACS+ server
is contacted prior to the execution of the command and the command which
is about to be executed is recorded. Only commands which are valid
for the user privilege and context (mode) in which they are about
to be executed will be recorded. Note that the ASR 5000
and ASR 5500 do not record whether the command itself succeeded
or failed. For security reasons, some secure or restricted commands
are not recorded. In such cases, the accounting record will record
the command as three asterisks (“***”).
Usage:
Use this command to
configure the accounting method for TACACS+-based CLI sessions.
authorization
Enables the authorization
of TACACS+ CLI users on a command-by-command, command + command
argument, or command prompt basis. If the user is not authorized
to execute the command, the command will fail.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] authorization { command | prompt | arguments }
no
Disables a configured
TACACS+ authorization command, prompt, or arguments setting.
{ command | prompt | arguments }
Specifies the type
of authorization behavior to enforce:
-
command:
Enables per-command authorization. The TACACS+ server is
contacted for each command and each command is authorized for the
user. If the user is not authorized to execute the command, then
the command fails. If the user is authorized for the command, the
command is executed.
-
prompt: Enables
per-command authorization, as described for the command option
above. However, since commands may be duplicated in different CLI
modes, this version of the command authorization also passes the command
prompt string to the server. The TACACS+ server is contacted
for each prompt and command and must have a matching string for
the prompt/command combination. Enabling prompt authorization
supersedes command authorization,
since the prompt and command must be authorized together.
-
arguments:
Enables per-command and command + argument authorization.
The TACACS+ server authorizes each command and its arguments
for the user. If the user is not authorized to execute the command
and the corresponding arguments, the command fails. If the command
does not contain any arguments, then the command only is passed
to the authorization server.
Usage:
Use this command to
configure the authorization method for TACACS+-based CLI sessions.
end
Exits the current
configuration mode and returns to the Exec mode.
Privilege:
Security Administrator,
Administrator
Usage:
Use this command to
return to the Exec mode.
exit
Exits the current
mode and returns to the parent configuration mode.
Privilege:
Security Administrator,
Administrator
Usage:
Use this command to
return to the parent configuration mode.
on-authen-fail
Defines system
behavior when an administrative login fails due to a TACACS+ authentication
failure. This command also can be used to configure system behavior
separately for TACACS+ authentication failures for administrative
users accessing the system via the ASR 5000 or ASR 5500
console port.
Privilege:
Security Administrator,
Administrator
Syntax
on-authen-fail { continue | stop } [ tty
console ]
{ continue | stop }
Specifies the type
of authentication behavior to enforce:
-
continue:
After a TACACS+ authentication failure, the system will
continue with authentication using non-TACACS+ authentication
services.
-
stop: After
a TACACS+ authentication failure, the system forces the
failed TACACS+ user to exit.
tty console
Release 12 and later
systems only: Used after the
stop or
continue parameters
to specify system behavior for users being authenticated via the
ASR 5000 or ASR 5500 console port:
-
stop tty console:
Forces the failed TACACS+ user to exit.
-
continue tty console:
The system will continue with authentication using non-TACACS+ authentication
services.
Usage:
Use this command to
configure system behavior for users that fail TACACS+ authentication.
on-network-error
Configures ASR 5000
or ASR 5500 behavior when a TACACS+ login fails
due to a network error. This command also can be used to configure
system behavior separately for TACACS+ network error login
failures for administrative users accessing the system via the ASR 5000
or ASR 5500 console port.
Privilege:
Security Administrator,
Administrator
Syntax
on-network-error { continue | stop } [ tty console ]
continue
The system will continue
with authentication using non-TACACS+ authentication services.
stop
The system forces
the failed TACACS+ user to exit.
tty console
Release 12 and later
systems only: Can be used after the
continue or
stop options
to specify system behavior for TACACS+ CLI users being
authenticated via the console port on the chassis:
-
stop tty console:
Forces the failed user to exit when authentication fails.
-
continue tty console:
The system will continue with authentication using non-TACACS+ authentication
services.
Usage:
Use this command to
configure system behavior for users who fail TACACS+ authentication
due to a network error.
on-unknown-user
Configures ASR 5000
or ASR 5500 behavior when a TACACS+ server cannot authenticate
a given user name. This command also can be used to configure system
behavior separately for TACACS+ unknown user login failures
for administrative users accessing the system via the ASR 5000
or ASR 5500 console port.
IMPORTANT:
Some TACACS+ server
implementations will not send a Reply message indicating that the
user name is invalid. Instead, these types of implementations will
accept the username, whether valid or not, and then examine the
username and password in combination before sending a Reply message
indicating a failed TACACS+ login. In these cases, specifying on-unknown-user will
not enforce the desired system behavior. To avoid this scenario,
determine the method the configured TACACS+ servers will
use to validate user names before deciding whether specifying the on-unknown-user command
will provide the desired result.
Privilege:
Security Administrator,
Administrator
Syntax
on-unkown-user { continue | stop } [ tty
console ]
{ continue | stop }
Specifies the particular
behavior to enforce:
-
continue:
The system continues with authentication using non-TACACS+ authentication
services.
-
stop: The
system forces the failed TACACS+ user to exit.
tty console
[
Release 12 and later
systems only: Can be used after the
continue or
stop options
to specify the behavior of the system for TACACS+ CLI users
being authenticated via the console port on the chassis.
-
stop tty console:
The system forces the failed user to exit when authentication fails.
-
continue tty console:
The system will continue with authentication using non-TACACS+ authentication
services.
Usage:
Use this command to
configure ASR 5000 or ASR 5500 behavior for users
who fail TACACS+ user name authentication.
server
Configures TACACS+ AAA
service-related parameters for use in authenticating ASR 5000
or ASR 5500 administrative users via a TACACS+ server.
IMPORTANT:
Once a TACACS+ server
is configured with the server command,
TACACS+ AAA services for the ASR 5000 or ASR 5500
must be enabled using the aaa tacacs+ command
in Global Configuration mode.
Privilege:
Security Administrator,
Administrator
Syntax
[ no ] server
priority priority_number ip-address ip_address [ service { authentication | authorization | accounting } ] [ port port_number ] [ { encrypted
password shared_secret | password text_password | key text_password } ] [ timeout seconds ] [ retries num_retries ] [ nas-source-address ip_address ]
no
Removes a specified server priority from
the TACACS+ server list.
priority
Specifies the order
in which TACACS+ servers are to be tried. A maximum of
three TACACS+ AAA servers can be configured. priority_number can be
an integer from 1 (highest priority) to 3 (lowest priority). If
no server with priority 1 is specified, the next highest priority
is used. If the specified priority matches that of a TACACS+ server
already configured, any previously defined server configuration
parameter(s) for that priority are returned to the default setting(s).
ip-address
Specifies the IP address
of the TACACS+ server in IPv4 dotted-decimal notation.
Only one IP address can be defined for a given server priority
[ service { authentication | authorization | accounting } ]
service:
Release 12 and later
systems only: Specifies one or more of the AAA services
that the specified TACACS+ server will provide. Use of
the
service keyword
requires that at lease one of the available services be specified.
If the
service keyword
is not used, the ASR 5000 or ASR 5500 will use
the TACACS+ server for all AAA service types. The default
is to use authentication, authorization and accounting. Available
service types are:
-
authentication:
The specified TACACS+ server should be used for authentication.
If a TACACS+ authentication server is not available, TACACS+ will
not be used for authorization or accounting.
-
authorization:
The specified TACACS+ server should be used for authorization.
If TACACS+ authentication is not used, TACACS+ authorization
will not be used. If no authorization server is specified and the
user is authenticated, the user will remain logged in with minimum
privileges (Inspector level).
-
accounting:
The specified TACACS+ server should be used for accounting.
If TACACS+ authentication is not used, TACACS+ accounting
will not be used. If no accounting server is specified and the user
is authenticated, no accounting will be performed for the user.
port
Specifies the TCP
port number to use for communication with the TACACS+ server. port_number can
be an integer from 1 through 65535. If a port is not specified,
the ASR 5000 or ASR 5500 will use port 49.
[ { encrypted
password shared_secret | password text_password | key text_password } ]
Specify the encrypted
or plain-text password:
-
encrypted password shared_secret:
Specifies the encrypted value of the shared secret key. The server-side
configuration must match
the decrypted value for the protocol to work correctly. If encrypted password is
specified, specifying password is
invalid. No encryption is used if this value is null (""). The
encrypted password can be an alphanumeric string of 1 through 100
characters. If neither an encrypted password or password is
specified, the ASR 5000 or ASR 5500 will not use encryption
-
password plain_text_password: Release 12.0 and later systems. Instead
of using an encrypted password value, the user can specify a plain-text
value for the password. If the password keyword
is specified, specifying encrypted password is
invalid. A null string (“”) represents no encryption.
The password can be an alphanumeric string of 1 through 32 characters. If
neither an encrypted
password or password is
specified, then the ASR 5000 or ASR 5500 will not use encryption.
-
key plain_text_password: Release 11.0 systems
only. Instead of using an encrypted password value, the user
can specify a plain-text key value for the password. If the key keyword is
specified, then specifying encrypted password is
invalid. A null string represents no encryption. The password can
be from 1 to 32 alphanumeric characters in length. If neither an encrypted password or key is specified,
then the ASR 5000 or ASR 5500 will not use encryption.
[ timeout seconds ]
Specifies the number
of seconds to wait for a connection timeout from the TACACS+ server. seconds can
be an integer from 1 through 1000. If no timeout is specified, the
ASR 5000 or ASR 5500 will use the default value
of 10 seconds.
retries number
[
Release 12 and later
systems only: Specifies the number of retry attempts
at establishing a connection to the TACACS+ server if the
initial attempt fails.
retries number can
be an integer from 0 through 100. The default is 3. Specifying 0
(zero) retries results in the ASR 5000 or ASR 5500
trying only once to establish a connection. No further retries will
be attempted.
nas-source-address ip_address
Release 12 and later
systems only: Sets the IPv4 address to be specified
in the Source Address of the IP header in the TACACS+ protocol
packet sent from the NAS to the TACACS+ server.
ip_address is
entered using IPv4 dotted-decimal notation and must be valid for
the interface.
Usage:
Use this command to
specify TACACS+ service parameters for a specified TACACS+ server.