Important: TACACS Configuration Mode is available in releases 11.0 and later.Disables a configured TACACS+ accounting setting (either accounting start-stop or accounting command).
{start-stop | command}
|
•
|
start-stop: Records the time at which the session starts (the time at which the user passes authentication) and the time at which the user exits. Note that in cases where a user exits before passing authentication, only a stop time is recorded.
|
|
•
|
command: Enables accounting on a command-by-command basis. The TACACS+ server is contacted prior to the execution of the command and the command which is about to be executed is recorded. Only commands which are valid for the user privilege and context (mode) in which they are about to be executed will be recorded. Note that the system does not record whether the command itself succeeded or failed. For security reasons, some secure or restricted commands are not recorded. In such cases, the accounting record will record the command as three asterisks (“***”).
|
[no]
|
•
|
command: Enables per-command authorization. The TACACS+ server is contacted for each command and each command is authorized for the user. If the user is not authorized to execute the command, then the command fails. If the user is authorized for the command, the command is executed.
|
|
•
|
prompt: Enables per-command authorization, as described for the command option above. However, since commands may be duplicated in different ASR 5000 CLI modes, this version of the command authorization also passes the command prompt string to the server. The TACACS+ server is contacted for each prompt and command and must have a matching string for the prompt/command combination. Enabling prompt authorization supersedes command authorization, since the prompt and command must be authorized together.
|
|
•
|
arguments: Enables per-command and command + argument authorization. The TACACS+ server authorizes each command and its arguments for the user. If the user is not authorized to execute the command and the corresponding arguments, the command fails. If the command does not contain any arguments, then the command only is passed to the authorization server.
|
{continue | stop}
|
•
|
continue: After a TACACS+ authentication failure, the system will continue with authentication by using non-TACACS+ authentication services.
|
|
•
|
stop: After a TACACS+ authentication failure, the system forces the failed TACACS+ user to exit.
|
[tty console]
Release 12 and later systems only: Used after the stop or continue parameters to specify system behavior for users being authenticated via the ASR 5000 console port:
|
•
|
stop tty console: Forces the failed TACACS+ user to exit.
|
|
•
|
continue tty console: The system will continue with authentication by using non-TACACS+ authentication services.
|
on-network-error: Specifies that the system will enforce a particular system behavior when a TACACS+ server cannot authenticate the username/login attempt due to a network error.
Release 12 and later systems only: Can be used after the continue or stop options to specify system behavior for TACACS+ CLI users being authenticated via the console port on the chassis:
|
•
|
stop tty console: Forces the failed user to exit when authentication fails.
|
|
•
|
continue tty console: The system will continue with authentication by using non-TACACS+ authentication services.
|
Important: Some TACACS+ server implementations will not send a Reply message indicating that the user name is invalid. Instead, these types of implementations will accept the username, whether valid or not, and then examine the username and password in combination before sending a Reply message indicating a failed TACACS+ login. In these cases, specifying on-unknown-user will not enforce the desired system behavior. To avoid this scenario, determine the method the configured TACACS+ servers will use to validate user names before deciding whether specifying the on-unknown-user command will provide the desired result. {continue | stop}
|
•
|
continue: The system continues with authentication by using the non-TACACS+ authentication services.
|
|
•
|
stop: The system forces the failed TACACS+ user to exit.
|
[tty console]
Release 12 and later systems only: Can be used after the continue or stop options to specify the behavior of the system for TACACS+ CLI users being authenticated via the console port on the chassis.
|
•
|
stop tty console: Forces the failed user to exit when authentication fails.
|
|
•
|
continue tty console: The system will continue with authentication by using non-TACACS+ authentication services.
|
Important: Once a TACACS+ server is configured with the server command, TACACS+ AAA services for the system must be enabled by using the aaa tacacs+ command in Global Configuration Mode.[no]server priority <priority_number> ip-address <ip_address> [service {authentication | authorization | accounting}][port <port_number>] [{encrypted password <shared_secret> | password <text_password> | key <text_password>}] [timeout <seconds>] [retries <num_retries>] [nas-source-address <ip_address>]
[no]
Removes a specified server priority from the TACACS+ server list.
Specifies the order in which this TACACS+ server is to be tried. A maximum of three TACACS+ AAA servers can be configured. <priority_number> can be a number from 1 (highest priority) to 3 (lowest priority). If no server with priority 1 is specified, then the next highest priority is used. If the specified priority matches that of a TACACS+ server already configured, any previously defined server configuration parameter(s) for that priority are returned to the default setting(s).
Specify the IPv4 address of the TACACS+ server. Only one IP address can be defined for a given server priority
service: Release 12 and later systems only: Specify one or more of the AAA services that the specified TACACS+ server will provide. Use of the service keyword requires that at lease one of the available services be specified. If the service keyword is not used, then the system will use the TACACS+ server for all AAA service types. The default is to use authentication, authorization and accounting. Available service types are:
|
•
|
authentication: The specified TACACS+ server should be used for authentication. Note that if a TACACS+ authentication server is not available, then TACACS+ will not be used for authorization or accounting.
|
|
•
|
authorization: The specified TACACS+ server should be used for authorization. Note that if TACACS+ authentication is not used, then TACACS+ authorization will not be used. If no authorization server is specified, and the user is authenticated, then the user will remain logged in with minimum privileges (Inspector level).
|
|
•
|
accounting: The specified TACACS+ server should be used for accounting. Note that if TACACS+ authentication is not used, then TACACS+ accounting will not be used. If no accounting server is specified, and the user is authenticated, then no accounting will be performed for the user.
|
Specify the TCP port number to use for communication with the TACACS+ server. <port_number> can be any number from 1 - 65535. If a port is not specified, the system will use port 49.
|
•
|
encrypted password <shared_secret>: Specify the encrypted value of the shared secret key. Note that the server-side configuration must match the decrypted value for the protocol to work correctly. If encrypted password is specified, then specifying password is invalid. No encryption is used if this value is null (""). The encrypted password can be from one to 100 alphanumeric characters in length. If neither an encrypted password or password is specified, then the system will use no encryption
|
|
•
|
password <plain_text_password>: Release 12.0 and later systems. Instead of using an encrypted password value, the user can specify a plain-text value for the password. If the password keyword is specified, then specifying encrypted password is invalid. A null string represents no encryption. The password can be from 1 to 32 alphanumeric characters in length. If neither an encrypted password or password is specified, then the system will use no encryption.
|
|
•
|
key <plain_text_password>: Release 11.0 systems only. Instead of using an encrypted password value, the user can specify a plain-text key value for the password. If the key keyword is specified, then specifying encrypted password is invalid. A null string represents no encryption. The password can be from 1 to 32 alphanumeric characters in length. If neither an encrypted password or key is specified, then the system will use no encryption.
|
Specify the number of seconds to wait for a connection timeout from the TACACS+ server. The timeout <seconds> can be from 1 to 1000 seconds. If no timeout is specified, the system will use the default value of 10 seconds.
retries <number>]
Release 12 and later systems only: Specify the number of retry attempts at establishing a connection to the TACACS+ server if the initial attempt fails. retries <number> can be a number from 0 to 100. The default is 3. Specifying 0 (zero) retries results in the system trying only once to establish a connection. No further retries will be attempted.
nas-source-address <ip_address>
Release 12 and later systems only: Enter the IPv4 address to be specified in the Source Address of the IP header in the TACACS+ protocol packet sent from the NAS to the TACACS+ server. The IPv4 address <ip_address> which is specified must be valid for the interface.
