Important: TACACS Configuration Mode is available in releases 11.0 and later.Disables a configured TACACS+ accounting setting (either accounting start-stop or accounting command).
|
•
|
start-stop: Records the time at which the session starts (the time at which the user passes authentication) and the time at which the user exits. If a user exits before passing authentication, only a stop time is recorded.
|
|
•
|
command: Enables accounting on a command-by-command basis. The TACACS+ server is contacted prior to the execution of the command and the command which is about to be executed is recorded. Only commands which are valid for the user privilege and context (mode) in which they are about to be executed will be recorded. Note that the ASR 5000 does not record whether the command itself succeeded or failed. For security reasons, some secure or restricted commands are not recorded. In such cases, the accounting record will record the command as three asterisks (“***”).
|
|
•
|
command: Enables per-command authorization. The TACACS+ server is contacted for each command and each command is authorized for the user. If the user is not authorized to execute the command, then the command fails. If the user is authorized for the command, the command is executed.
|
|
•
|
prompt: Enables per-command authorization, as described for the command option above. However, since commands may be duplicated in different CLI modes, this version of the command authorization also passes the command prompt string to the server. The TACACS+ server is contacted for each prompt and command and must have a matching string for the prompt/command combination. Enabling prompt authorization supersedes command authorization, since the prompt and command must be authorized together.
|
|
•
|
arguments: Enables per-command and command + argument authorization. The TACACS+ server authorizes each command and its arguments for the user. If the user is not authorized to execute the command and the corresponding arguments, the command fails. If the command does not contain any arguments, then the command only is passed to the authorization server.
|
|
•
|
continue: After a TACACS+ authentication failure, the system will continue with authentication using non-TACACS+ authentication services.
|
|
•
|
stop: After a TACACS+ authentication failure, the system forces the failed TACACS+ user to exit.
|
Release 12 and later systems only: Used after the stop or continue parameters to specify system behavior for users being authenticated via the ASR 5000 console port:
|
•
|
stop tty console: Forces the failed TACACS+ user to exit.
|
|
•
|
continue tty console: The system will continue with authentication using non-TACACS+ authentication services.
|
Release 12 and later systems only: Can be used after the continue or stop options to specify system behavior for TACACS+ CLI users being authenticated via the console port on the chassis:
|
•
|
stop tty console: Forces the failed user to exit when authentication fails.
|
|
•
|
continue tty console: The system will continue with authentication using non-TACACS+ authentication services.
|
Important: Some TACACS+ server implementations will not send a Reply message indicating that the user name is invalid. Instead, these types of implementations will accept the username, whether valid or not, and then examine the username and password in combination before sending a Reply message indicating a failed TACACS+ login. In these cases, specifying on-unknown-user will not enforce the desired system behavior. To avoid this scenario, determine the method the configured TACACS+ servers will use to validate user names before deciding whether specifying the on-unknown-user command will provide the desired result. |
•
|
continue: The system continues with authentication using non-TACACS+ authentication services.
|
|
•
|
stop: The system forces the failed TACACS+ user to exit.
|
Release 12 and later systems only: Can be used after the continue or stop options to specify the behavior of the system for TACACS+ CLI users being authenticated via the console port on the chassis.
|
•
|
stop tty console: The system forces the failed user to exit when authentication fails.
|
|
•
|
continue tty console: The system will continue with authentication using non-TACACS+ authentication services.
|
Use this command to configure ASR 5000 behavior for users who fail TACACS+ user name authentication.
Important: Once a TACACS+ server is configured with the server command, TACACS+ AAA services for the ASR 5000 must be enabled using the aaa tacacs+ command in Global Configuration mode.[ no ] server priority priority_number ip-address ip_address [ service { authentication | authorization | accounting } ] [ port port_number ] [ { encrypted password shared_secret | password text_password | key text_password } ] [ timeout seconds ] [ retries num_retries ] [ nas-source-address ip_address ]
Removes a specified server priority from the TACACS+ server list.
Specifies the order in which TACACS+ servers are to be tried. A maximum of three TACACS+ AAA servers can be configured. priority_number can be an integer from 1 (highest priority) to 3 (lowest priority). If no server with priority 1 is specified, the next highest priority is used. If the specified priority matches that of a TACACS+ server already configured, any previously defined server configuration parameter(s) for that priority are returned to the default setting(s).
Specifies the IP address of the TACACS+ server in IPv4 dotted-decimal notation. Only one IP address can be defined for a given server priority
service: Release 12 and later systems only: Specifies one or more of the AAA services that the specified TACACS+ server will provide. Use of the service keyword requires that at lease one of the available services be specified. If the service keyword is not used, the ASR 5000 will use the TACACS+ server for all AAA service types. The default is to use authentication, authorization and accounting. Available service types are:
|
•
|
authentication: The specified TACACS+ server should be used for authentication. If a TACACS+ authentication server is not available, TACACS+ will not be used for authorization or accounting.
|
|
•
|
authorization: The specified TACACS+ server should be used for authorization. If TACACS+ authentication is not used, TACACS+ authorization will not be used. If no authorization server is specified and the user is authenticated, the user will remain logged in with minimum privileges (Inspector level).
|
|
•
|
accounting: The specified TACACS+ server should be used for accounting. If TACACS+ authentication is not used, TACACS+ accounting will not be used. If no accounting server is specified and the user is authenticated, no accounting will be performed for the user.
|
Specifies the TCP port number to use for communication with the TACACS+ server. port_number can be an integer from 1 through 65535. If a port is not specified, the ASR 5000 will use port 49.
|
•
|
encrypted password shared_secret: Specifies the encrypted value of the shared secret key. The server-side configuration must match the decrypted value for the protocol to work correctly. If encrypted password is specified, specifying password is invalid. No encryption is used if this value is null (""). The encrypted password can be an alphanumeric string of 1 through 100 characters. If neither an encrypted password or password is specified, the ASR 5000 will not use encryption
|
|
•
|
password plain_text_password: Release 12.0 and later systems. Instead of using an encrypted password value, the user can specify a plain-text value for the password. If the password keyword is specified, specifying encrypted password is invalid. A null string (“”) represents no encryption. The password can be an alphanumeric string of 1 through 32 characters. If neither an encrypted password or password is specified, then the ASR 5000 will not use encryption.
|
|
•
|
key plain_text_password: Release 11.0 systems only. Instead of using an encrypted password value, the user can specify a plain-text key value for the password. If the key keyword is specified, then specifying encrypted password is invalid. A null string represents no encryption. The password can be from 1 to 32 alphanumeric characters in length. If neither an encrypted password or key is specified, then the ASR 5000 will not use encryption.
|
Specifies the number of seconds to wait for a connection timeout from the TACACS+ server. seconds can be an integer from 1 through 1000. If no timeout is specified, the ASR 5000 will use the default value of 10 seconds.
Release 12 and later systems only: Specifies the number of retry attempts at establishing a connection to the TACACS+ server if the initial attempt fails. retries number can be an integer from 0 through 100. The default is 3. Specifying 0 (zero) retries results in the ASR 5000 trying only once to establish a connection. No further retries will be attempted.
Release 12 and later systems only: Sets the IPv4 address to be specified in the Source Address of the IP header in the TACACS+ protocol packet sent from the NAS to the TACACS+ server. ip_address is entered using IPv4 dotted-decimal notation and must be valid for the interface.
