User`s guide
351
Configuration – Security > TACACS+
The Digi TransPort range of routers support Terminal Access Controller Access-Control
System Plus (TACACS+) for controlling access to the router. TACACS+ provides
authentication, authorisation and accounting (AAA) services.
TACACS+ can be used to control the following access methods: Secured asynchronous serial
(ASY) ports, Telnet, SSH, FTP, HTTP/HTTPS and SNMP.
When any sort of request is to be performed by the TACACS+ client, the client first checks
to see if a socket to the server (primary or backup) is already open. If a socket is already
open, that socket is used for the TACACS+ request. If no socket is open, the primary server
is tried first. If the primary server socket fails to open, the backup server will be tried.
Regardless of whether the primary or backup socket connected, the primary server is
always tried first on the next connection attempt. Once the connection to the TACACS+
server opens, all pending requests are sent to the TACACS+ server.
If a connection to the TACACS+ server is not possible due to network or server problems,
all requests by applications are denied.
Functions of the AAA services
If TACACS+ authentication is enabled, the request is sent to the TACACS+ server. If
disabled, the router performs the authentication. At this point authorisation is also
performed. If TACACS+ authorisation is disabled, the user access level is obtained from the
local user table on the router. If TACACS+ authorisation is enabled, an authorisation request
is sent to the TACACS+ server. The server will return a privilege level and may also return
other attributed such as a new idle time for this session which takes precedence over locally
configured values.
When the user has been authenticated and access has been authorised, the login is allowed.
If the connection is via telnet or SSH a welcome message will be displayed that shows the
access level and the method of authentication. If the access level was assigned locally the
following message will be displayed:
Welcome. Your access level is SUPER
If the access level was assigned by the TACACS+ server, the following message will be
displayed:
Welcome. Your access level is obtained remotely
If accounting is enabled, session start and stop messages are sent to the TACACS+ server
when the session opens and closes. During the session, details of commands executed and
denied due to access level control will be sent to the TACACS+ server. At the end of the
session the stop message is sent to the TACACS+ server with the elapsed session time
included.
TACACS+ to local privilege level mappings:
TACACS+ level
Local level
>= 15 Super
12 - 14 High
8 – 11 Medium
4 - 8 Low
0 - 3 None