Specifications
How Do I Implement TACACS+?
December 2, 2010 Page 2 of 7
How Do I Implement TACACS+?
YoucanconfiguretheTACACS+clientonyourEnterasysdeviceinconjunctionwithoneormore
(uptoeight)TACACS+accessserverstoprovideauthentication,authorization,oraccounting
servicesonyournetwork.EachoftheTACACS+servicescanbeimplementedonseparateservers.
YoucanalsoconfigureTACACS+tousea
singleTCPconnectionforallTACACS+clientrequests
toagivenTACACS+server.
FormoreinformationaboutthebasicTACACS+configuration,see“BasicTACACS+
Configuration”onpage 4.
Understanding TACACS+
TACACS+clientfunctionalityfallsintofourbasiccapabilities:
• Authenticationandsessionauthorization
• Commandauthorization
•Sessionaccounting
• Commandaccounting
Session Authorization and Accounting
TheTACACS+clientisdisabledbydefault.WhentheTA CACS+clientisenabledonanEnterasys
deviceandasessionisinitiated,theconfiguredsessionauthorizationparametersaresentbythe
clienttotheTACACS+server.Theparametervaluesmustmatchaserviceandaccesslevel
attribute‐valuepairconfiguredon
theserverforthesessiontobeauthorized.Iftheparameter
valuesdonotmatch,thesessionisnotallowed.
Theservicenameandattribute‐valuepairscanbeanycharacterstring,andaredeterminedby
yourTACACS+serverconfiguration.
Whensessionaccountingisenabled,theTACACS+ serverlogsaccountinginformation,
suchas
startandstoptimes,IPaddressoftheremoteuser,andsoforth,foreachauthorizedclientsession.
Command Authorization and Accounting
TACACS+commandauthorizationandaccountingcanoccuronlyduringaTACACS+authorized
session.
Whencommandauthorizationisenabled,theTACACS+servercheckswhethereachcommandis
permittedforthatauthorizedsessionandreturnsasuccessorfailureforeachone.Ifthe
authorizationfails,thecommandisnotexecuted.
Whencommandaccounting
isenabled,theTACACS+serverlogsaccountinginformation,suchas
thecommandstringandIPaddressoftheremoteuserforeachcommandexecutedduringthe
session.