Client configuration for TACACS+ authorization

AAA command authorization is supported for TACACS+

Authorization is the action of determining what a user is allowed to do on a device. By default, TACACS+ command authorization is disabled. Regardless of how authentication is performed (whether it is local, or done on a RADIUS or TACACS+ server), when at least one TACACS+ server is configured, you can enable TACACS+ command authorization by using the aaa authorization command command.

When TACACS+ command authorization is enabled and a user attempts to run a command, an authorization request is sent to servers on the TACACS+ server list in a round-robin fashion. In response to the authorization request, the TACACS+ server sends either an accept message or a reject message based on the user's configuration or settings on the TACACS+ server. When an accept message is received, the user is permitted to run the command. ​

At device level, authorization is enforced by role-based control (RBAC). To ensure that local device-level authorization is done when the TACACS+ server is unreachable, enable command authorization by using the aaa authorization command command, and specify the local option. When the local option is not specified, local device-level authorization is not performed when the TACACS+ server is unreachable; therefore, command authorization fails.

TACACS+ command authorization can only be enabled when at least one TACACS+ server is configured. Similarly, when command authorization is enabled, the TACACS+ server cannot be removed when it is the only server on the TACACS+ server list.

Limitations

TACACS+ command authorization:
  • Is not supported by REST API or NetConf.
  • Is not supported during post boot, or configuration replay.
  • If the TACACS+ server is reachable through in-band interface and the local option is not configured for AAA authorization, then the execution of all commands after AAA authorization configuration will fail during a file replay.
  • When AAA Authorization is configured and operational REST queries are executed, an Internal Server Error is generated. Workaround: Remove the AAA authorization configuration prior to executing operational REST queries.

There may be situations/configurations where SSH server and RADIUS / TACACS+ server timeouts conflict. The default timeout for the SSH server max-login-timeout is 120 seconds. The default timeout for RADIUS / TACACS+ is 5 seconds, with a retry default of 5 attempts, which may create a scenario where the timeout value is 25 seconds.

Administrators should be aware that the following situation can occur:

If AAA Authentication has been configured with the local-authfallback/local option using five RADIUS / TACACS+ servers; and those servers are not reachable, then the login timeout effectively becomes 125 seconds (25 seconds x 5 servers = 125 seconds). Since the default timeout for the SSH server is 120 seconds, the SSH server will timeout before login can succeed, preventing even the admin from logging in.

It is recommended that Administrators evaluate the default timeouts if this scenario is possible, and make the necessary adjustments to the default values for timeout and retry attempts.