Specifications

ManualsBrandsCisco ManualsComputer equipmentOL-4015-08

101

102

103

104

105

106

107

108

109

110

4-3

Cisco Global Site Selector Administration Guide

OL-5480-01

Chapter 4 Managing GSS User Accounts Through a TACACS+ Server

TACACS+ Overview

The TACACS+ server provides the following AAA independent services to the

GSS operating as a TACACS+ client:

• Authentication—Identifies users attempting to access a GSS. Authentication

frequently involves verifying a username with an assigned password. GSS

users are authenticated against the TACACS+ server when remotely

accessing a GSS through the console, Telnet, SSH, FTP, or the primary GSSM

GUI interfaces. A denied authentication attempt prohibits the user from

accessing the GSS.

• Authorization—Controls which GSS CLI commands an individual user can

use on a GSS or on a GSSM (primary or standby), providing per-command

control and filtering. Authorization is typically performed after a user

receives authentication by the TACACS+ server and begins to use the GSS.

You also can assign a privilege level to a user accessing the primary GSSM

GUI.

• Accounting—Records the specific CLI commands and GUI pages accessed

by a GSS user. Accounting enables system administrators to monitor the

activities of GSS users, which is beneficial for administrating multi-user GSS

devices. The information is contained in an accounting record which is sent

to the TACACS+ server. Each record typically includes the user name, the

CLI command executed or the primary GSSM GUI page accessed, the

primary GSSM GUI page action performed, and the time the action was

performed. You can import the log files from the TACACS+ server into a

spreadsheet application.

You can define a maximum of three TACACS+ servers for use with a GSS. The

GSS periodically queries the first configured TACACS+ server with a TCP

keepalive to ensure network connectivity and TACACS+ application operation. If

the GSS determines that the TACACS+ server is down, the GSS attempts to

connect to the next server in the list of configured TACACS+ servers as the

backup server. If a second (or third) TACACS+ server is available for use, the GSS

selects that server as the active TACACS+ server.

The use of TCP keepalives is the default means by the GSS to monitor

connectivity with the active TACACS+ server. As a secondary measure should the

TCP keepalives fail, or if you disable the use of keepalives, you can specify a

global TACACS+ timeout period that specifies how long the GSS waits for a

response to a connection attempt from a TACACS+ server. The timeout value

applies to all defined TACACS+ servers.