AAA TACACS Policy

TACACS (Terminal Access Controller Access - Control System+) is a protocol created by CISCO Systems which provides access control to network devices (routers, network access servers and other networked computing devices) using one or more centralized servers. TACACS provides separate authentication, authorization, and accounting services running on different servers.

TACACS controls user access to devices and network resources while providing separate accounting, authentication, and authorization services. Some of the services provided by TACACS are:

  • Authorizing each command with the TACACS server before execution
  • Accounting each session‘s logon and log off event
  • Authenticating each user with the TACACS server before enabling access to network

To define a unique AAA TACACS configuration:

  1. Select Configuration→ Network → AAA TACACS Policy.
    The Authentication, Authorization, and Accounting (AAA) TACACS screen lists existing AAA policies. Any of these policies can be selected and applied to a controller, service platform or Access Point.
    Click to expand in new window
    GUID-2CFF8ACC-5C30-4681-AD96-CE40C60B65EE-low.png
  2. Refer to the following information for each existing AAA TACACS policy:
    AAA TACACS Policy Displays the name assigned to the AAA TACACS policy when it was initially created. The name cannot be edited within a listed profile.
    Accounting Access Method Displays the connection method used to access the AAA TACACS accounting server. Options include All, SSH, Console, or Telnet.
    Authentication Access Method Displays the method used to access the AAA TACACS authentication server. Options include All, SSH, Console, Telnet, or Web.
    Authorization Access Method Displays the method used to access the AAA TACACS authorization server. Options include All, SSH, Console, or Telnet.
  3. Select Add to configure a new AAA TACACS policy. Select an existing policy and use the Edit button to edit the policy or use the Delete button to delete it.
  4. Provide a name for the AAA TACACS policy in the AAA TACACS Policy field. The name can be up to 32 characters long. Click Continue. Click OK to proceed.
    The Server Info tab displays by default.
    Click to expand in new window
    GUID-C4A06F20-08A6-4B97-9E78-DCDEBE7F383A-low.png
  5. Under the Authentication table, select + Add Row.
    Click to expand in new window
    GUID-7E48205E-F142-42F7-AA68-F94A3FCFD8D9-low.png
  6. Set the following Authentication settings:
    Server Id Set numerical server index (1-2) for the authentication server when added to the list of available TACACS authentication server resources.
    Host Specify the IP address or hostname of the AAA TACACS server.
    Port Define or edit the port on which the AAA TACACS server listens to traffic. The port range is 1 - 65,535. The default port is 49.
    Secret Specify (and confirm) the secret (password) used for authentication between the selected AAA TACACS server and the controller, service platform or access point. By default the secret is displayed as asterisks. To see the secret being entered, select the Show option.
    Request Attempts Set the number of connection request attempts to the TACACS server before it times out of the authentication session. The available range is from 1 - 10. The default is 3.
    Request Timeout Specify the time for the re-transmission of request packets after an unsuccessful attempt. The default is 3 seconds. If the set time is exceeded, the authentication session is terminated.
    Retry Timeout Factor Set the scaling of retransmission attempts from 50 - 200 seconds. The timeout at each attempt is the function of the retry timeout factor and the attempt number. 100 (the default value) implies a constant timeout on each retry. Smaller values indicate more aggressive (shorter) timeouts. Larger numbers define more conservative (larger) timeouts on each successive attempt. The default is 100.
  7. Select OK to save the changes or Exit to close the screen.
  8. Set the Server Preference, within the Authorization field, to specify which server, in the pool of servers, is selected to receice authorization requests. Options include None, authenticated-server-host, and authenticatedserver- number. If selecting None or authenticated-server-number select + Add Row and set the server‘s ID, host, port, password and connection attempt parameters.
  9. Set the following Authorization Server details:
    Server Id Lists the numerical server index (1-2) for each authentication server when added to the list available to the controller, service platform or access point.
    Host Displays the IP address or hostname set for the AAA TACACS authentication server.
    Port Displays the port the TACACS authentication server listens to traffic. The port range is 1 - 65,535. The default port is 49.
    Secret Specify (and confirm) the secret (password) used for authentication between the selected AAA TACACS server and the controller, service platform or access point. By default the secret is displayed as asterisks. To see the secret being entered, select the Show option.
    Request Attempts Displays the number of connection attempts before the controller, service platform or access point times out of the authentication session. The available range is from 1 - 10. The default is 3.
    Request Timeout Specify the time for the re-transmission of request packets after an unsuccessful attempt. The default is 3 seconds. If the set time is exceeded, the authentication session is terminated.
    Retry Timeout Factor Set the scaling of retransmission attempts from 50 - 200 seconds. The timeout at each attempt is the function of the retry timeout factor and the attempt number. 100 (the default value) implies a constant timeout on each retry. Smaller values indicate more aggressive (shorter) timeouts. Larger numbers define more conservative (larger) timeouts on each successive attempt. The default is 100.
  10. Click OK to save the changes, Reset to revert to the last saved configuration or Exit to close the screen.
  11. Set the Server Preference, within the Accounting field, to select the accounting server, from the pool of servers, to receive accounting requests. Options inlcude None, authenticated-server-host, authenticated-server-number, authorized-server-host and authorized-server-number. The default is authenticated-server-host. If selecting None, authenticated-server-number or authorized-server-number select + Add Row and set the server‘s ID, host, port, password and connection attempt parameters.
  12. Set the following Accounting Server details:
    Server Id Lists the numerical server index (1-2) for each authentication server when added to the list available to the controller, service platform or Access Point.
    Host Displays the IP address or hostname set for the AAA TACACS authentication server.
    Port Displays the port the TACACS authentication server listens to traffic. The port range is 1 - 65,535. The default port
    Secret Specify (and confirm) the secret (password) used for authentication between the selected AAA TACACS server and the controller, service platform or Access Point. By default the secret is displayed as asterisks. To show the secret in plain text, select
    Request Attempts Displays the number of connection attempts before the controller, service platform or Access Point times out of the authentication session. The available range is from 1 - 10. The
    Request Timeout Specify the time for the re-transmission of request packets after an unsuccessful attempt. The default is 3 seconds. If the set time is exceeded, the authentication session is terminated
    Retry Timeout Factor Set the scaling of retransmission attempts from 50 - 200 seconds. The timeout at each attempt is the function of the retry timeout factor and the attempt number. 100 (the default value) implies a constant timeout on each retry. Smaller values indicate more aggressive (shorter) timeouts. Larger numbers define more conservative (larger) timeouts on each successive attempt. The default is 100
  13. Select OK to save the changes, Reset to revert to the last saved configuration or Exit to close the screen.
  14. Select the Settings tab.
    Click to expand in new window
    GUID-322D34E8-9945-489C-B3B0-21537D955A82-low.png
  15. Set the following AAA TACACS Authentication server configuration parameters:
    Authentication Access Method Specify the connection method(s) for authentication requests.
    • All – Authentication is performed for all types of access without prioritization.
    • Console – Authentication is performed only for console access.
    • Telnet – Authentication is performed only for access through Telnet.
    • SSH – Authentication is performed only for access through SSH.
    • Web – Authentication is performed only for access through the Web interface.
    Directed Request Select to enable the AAA TACACS authentication server to be used with the ‘@<server name>‘ nomenclature. The specified server must be present in the list of defined Authentication servers.
  16. Set the following AAA TACACS Authorization server configuration parameters:
    Authorization Access Method Specify the connection method(s) for authorization requests.
    • All – Authorization is performed for all types of access without prioritization.
    • Console – Authorization is performed only for console access.
    • Telnet – Authorization is performed only for access through Telnet.
    • SSH – Authorization is performed only for access through SSH.
    Allow Privileged Commands Select this option to enable privileged commands executed without command authorization. Privileged commands are commands that can alter/ change the authorization server configuration.
  17. Set the following AAA TACACS Accounting server configuration parameters:
    Accounting Access Method Specify the connection method(s) for accounting requests.
    • All – Accounting is performed for all types of access without prioritization.
    • Console – Accounting is performed only for console access.
    • Telnet – Accounting is performed only for access through Telnet.
    • SSH – Accounting is performed only for access through SSH.
    Authentication Failure Select the option to enable accounting upon authentication failures. This setting is disabled by default.
    CLI Commands Select this option to enable accounting for CLI commands. This setting is disabled by default.
    Session Select this option to enable accounting for session start and session stop events. This setting is disabled by default.
  18. Select + Add Row and set the following Service Protocol Settings parameters:
    Service Name Provide a 30 character maximum shell service for user authorization.
    Service Protocol Enter a protocol for user authentication using the service.
    Note

    Note

    A maximum or 5 entries can be made in the Service Protocol Settings table.
  19. Select OK to save the updates to the AAA TACACS policy. Select Reset to revert to the last saved configuration.