Configure TACACS+ Globally

Enable TACACS+ globally on the switch. TACACS+ is a security application implemented as a client and server-based protocol that provides centralized validation of users. By default, TACACS+ is disabled.

Before you begin

  • You must have access to and you must configure a TACACS+ server before the TACACS+ features on your switch (network access server) are available.

    You must verify that the switch can reach the TACACS+ server and that you configure TACACS+ properly before you enable command authorization.

  • If a user is TACACS+ authenticated and command authorization is enabled for that level, then if the switch cannot reach the TACACS+ server, the switch does not allow the user to issue any command that has privilege level command authorization enabled. In such a case, the user can only issue logout and exit commands.

  • You must enable TACACS+ globally for TACACS+ authentication to function.

  • You must enable TACACS+ authentication for TACACS+ authorization to function.

About this task

Configure what application TACACS+ authenticates. TACACS+ authentication provides control of authentication through login and password dialog, challenge and response. By default, CLI authentication is enabled.

After authentication is complete, the switch starts the authorization process. By default, command authorization is disabled on the switch. The default for the command authorization level is none. If command authorization fails, the following log message displays: Command <command> not authorized for user <username>.

Two kinds of authorization requests exist:

  1. Login authorization: Login authorization happens immediately after authentication when the user logs on to the device, authorization provides the user access level. You cannot configure login authorization.

  2. Command authorization: When you configure command authorization for a particular level, all commands that you issue are sent to the TACACS+ server for authorization. You need to configure command authorization globally and at individual access levels.

Enable TACACS+ accounting function and determine which application TACACS+ accounts. After you enable accounting, the switch reports user activity to the TACACS+ server in the form of accounting records. The default for accounting is none.

Procedure

  1. In the navigation pane, expand Configuration > Security > Control Path.
  2. Click TACACS+.
  3. Click the TACACS+ Globals tab.
  4. Select the GlobalEnable check box to enable TACACS+ globally.
  5. Select the cli check box to enable the Accounting option.
  6. Select the cli or web check box to enable the Authentication option.
  7. Click the CliCommandAuthorizationEnabled box to enable TACACS+ authorization.
  8. Select the level in the CliCommandAuthorizationLevels box.
  9. Click Apply.

TACACS+ Globals field descriptions

Use the data in the following table to use the TACACS+ Globals tab.

Name

Description

GlobalEnable

Enables or disables the TACACS+ feature globally.

Accounting

Determines for which applications TACACS+ collects accounting information. Use TACACS+ accounting to track the services that users access and the amount of network resources that users consume. If unassigned, TACACS+ does not perform the accounting function. The default is none.

If enabled, TACACS+ accounting logs the following events:

  • User log on and log off

  • Log off generated because of activity timeout

  • Unauthorized command

  • Telnet session closed (not logged off)

Authentication
Configures what application TACACS+ authenticates. The options include:

  • cli

  • web

TACACS + authentication provides control of authentication through login and password dialog, challenge and response.

By default, CLI authentication is enabled.

LastUserName

Displays the last user for which the system attempted authentication.

LastAddressType

Displays the type of address to access the TACACS+ server.

LastAddress

Displays the last address to access the TACACS+ server.

CliCommandAuthorizationEnabled

Enables TACACS+ authorization for a particular privilege level. Use this option to limit the use of certain commands to certain users. To use TACACS+ authorization, you must also use TACACS+ authentication.

The switch allows the user to access the switch according to the access level. The default is disabled.

CliCommandAuthorizationLevels

Enables command authorization for a specific privilege level.

The default for the command authorization level is none.
9037147-00 Rev AB