The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure TACACS+ servers used in AAA and includes the following sections:
The ASA supports TACACS+ server authentication with the following protocols: ASCII, PAP, CHAP, and MS-CHAPv1.
The ASA provides support for TACACS+ attributes. TACACS+ attributes separate the functions of authentication, authorization, and accounting. The protocol supports two types of attributes: mandatory and optional. Both the server and client must understand a mandatory attribute, and the mandatory attribute must be applied to the user. An optional attribute may or may not be understood or used.
Note To use TACACS+ attributes, make sure that you have enabled AAA services on the NAS.
Table 37-1 lists supported TACACS+ authorization response attributes for cut-through-proxy connections. Table 37-2 lists supported TACACS+ accounting attributes.
|
|
---|---|
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Supported in routed and transparent firewall mode.
This section includes the following topics:
Step 1 Add a TACACS+ server group. See Configuring TACACS+ Server Groups.
Step 2 For a server group, add a server to the group. See Adding a TACACS+ Server to a Group.
If you want to use a TACACS+ server for authentication, authorization, or accounting, you must first create at least one TACACS+ server group and add one or more servers to each group. You identify TACACS+ server groups by name.
The following example shows how to add one TACACS+ group with one primary and one backup server:
To add a TACACS+ server to a group, perform the following steps:
To monitor TACACS+ servers,enter one of the following commands:
Table 37-3 lists each feature change and the platform release in which it was implemented.