Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

CTR 8500-8300 3.6.0 TACACS+ CLI Commands - July2018

Download as pdf or txt
Download as pdf or txt
You are on page 1of 16

CTR 8500-8300

TACACS+
CLI Commands
Version 3.6.0

260-668517-001
Build 41.5505
TACACS+

Copyright & Terms of Use


July 2018
This documentation incorporates features and functions provided with CTR 8500-8300
TACACS+, version 3.6.0.

Copyright © 2018 by Aviat Networks, Inc.


All rights reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval
system, or translated into any language or computer language, in any form or by any means,
electronic, magnetic, optical, chemical, manual, or otherwise, without the prior written
permission of Aviat Networks Inc.
To request permission, contact techpubs@aviatnet.com.

Warranty
Aviat Networks makes no representation or warranties with respect to the contents hereof
and specifically disclaims any implied warranties or merchantability or fitness for any
particular purpose.
Further, Aviat Networks reserves the right to revise this publication and to make changes
from time to time in the content hereof without obligation of Aviat Networks to notify any
person of such revision or changes.

Safety Recommendations
The following safety recommendations must be considered to avoid injuries to persons
and/or damage to the equipment:
1. Installation and Service Personnel: Installation and service must be carried out by
authorized personnel who have the technical training and experience necessary to be
aware of any hazardous operations during installation and service, and of measures to
avoid any danger to themselves, to any other personnel, and to the equipment.
2. Access to the Equipment: Access to the equipment in use must be restricted to service
personnel only.
3. Safety Norms: Recommended safety norms are detailed in the Health and Safety
sections of the Eclipse User Manual.
4. Service Personnel Skill: Service personnel must have received adequate technical
training on telecommunications and in particular on the equipment and capabilities this
addendum refers to.

Trademarks
All trademarks are the property of their respective owners.

260-668517-001 JULY 2018 III


TACACS+

IV AVIAT NETWORKS
TACACS+

Aviat NetworksTechnical Support


Service and Technical Support:
For customer service and technical support, contact one of the regional Technical Help
Desks listed below.

Americas Technical Help Desk EMEA Technical Help Desk Asia Pacific Technical Help Desk
Aviat Networks, Inc. Aviat Networks Aviat Networks
San Antonio, TX Blantyre, Glasgow, Scotland Clark Freeport Zone
U.S.A. G72 0FB Philippines 2023
United Kingdom
Phone:+1 210 526 6345 Phone: +1 210 526 6345 Phone: +1 210 526 6345
Toll Free (USA): Fax: Fax: +63 45 599 5196
+1 800 227 8332 +44 16 9871 7204 (English)
Fax:+1 210 526 6315 +33 1 5552 8012 (French)
Email: TAC.AM@aviatnet.com Email: TAC.EMEA@aviatnet.com Email: TAC.APAC@aviatnet.com

Global Support Hotline: +1 210 526 6345


Call this phone number for support from anywhere in the world. Aviat Networks' Global
Support Hotline is available 24 hours a day, 7 days a week, providing uninterrupted support
for all our customers.
When you call our Global Support Hotline:
l You will be greeted by an automated response that will ask you for your PIN#.
Request a PIN# here: http://aviatnetworks.com/contact-us/technical-
assistance/pin-request-form/.
l As soon as you enter your PIN#, you will be transferred to our Global Technical
Helpdesk that will assist you with your technical issue.
l If you do not have a PIN# your call will be answered by our Support Assurance
Desk. Your call will be supported and prioritized accordingly.

Or you can contact your local Aviat Networks office. Contact information is available on our
website at: http://www.aviatnetworks.com/services/customer-support/technical-
assistance/ 

260-668517-001 JULY 2018 V


TACACS+

Sales and Sales Support:


For sales information, contact one of the Aviat Networksheadquarters, or find your regional
sales office at: HTTP://WWW.AVIATNETWORKS.COM/.

Corporate Headquarters International Headquarters


California, USA Singapore
Aviat Networks, Inc. Aviat Networks (S) Pte. Ltd.
860 N. McCarthy Blvd., Suite 200 51 Changi Business Park Central 2
Milpitas, CA 95035 #04-10 The Signature
U.S.A. Singapore 486066

Phone: + 1 408 941 7100 Phone: + 65 6496 0900


Fax: + 1 408 941 7110 Fax: + 65 6496 0999>
Toll Free for Sales Inquiries: Sales Inquiries:
+ 1 888 478 9669 +1-321-674-4252

VI AVIAT NETWORKS
TACACS+ CHAPTER 2

TACACS+
TACACS+ (Terminal Access Controller Access-Control System) is a protocol for handling
remote authentication and related services for networked access control through a
centralized server. TACACS+ was developed by Cisco as an improvement on the original
TACACS protocol, which dates to 1984, and a later proprietary extension called Extended
TACACS (XTACACS). TACACS+ is not backwards compatible with either of these earlier
protocols, which it has largely replaced. TACACS+ was released as an open standard in
1993. TACACS+ handles authentication, authorization, and accounting (AAA) services.
The list of commands for TACACS+ is as follows:
l aaa accounting login tacacs on page 8
l no aaa accounting login tacacs on page 9
l no tacacs-server on page 10
l show aaa on page 11
l show tacacs-server on page 12
l tacacs-client timeout on page 13
l tacacs-server on page 14

Configuring TACACS+
Follow these steps to configure TACACS+:
l Enable TACACS+ using the login authentication command (see Node
Administration CLI Commands). The user also has an option to specify fallback
to local login procedures in the event that a TACACS+ server cannot be
contacted (see Configuration notes below).
l Add the TACACS+ server(s) with the tacacs-server command. Up to three
servers may be configured on a priority basis with server 1 being the highest
priority. The client will then attempt to contact server 1 first and if that fails it
will attempt server 2 and so on. If the client cannot contact any of the configured
servers and fallback to ‘local’ is not specified, the user login attempt will be
rejected. If fall back to local is configured, then local login procedures will be
attempted.
l Configure the server timeout.
l If accounting is required, configure this by using the aaa accounting login tacacs
command.
N O TE: Configur ation Notes : While c onfigur ing the TACACS+ s er ver , keep
the follow ing points in mind:

AVIAT NETWORKS JULY 2018 7


CHAPTER 2 TACACS+

l The configured key must match the secret-key configured by the


tacacs-server command.
l The accounting log file needs to be specified to record accounting
events.
l The TACACS+ client obtains the privilege level from the server using
login Authorization. Therefore, the privilege levels for users have to be
set in the server configuration using the service=system pair.
l If the security mode of the CTR is set to 'Strong', user passwords
configured on the TACACS+ server must comply with the rules for
password format as defined in CTR 8500-8300 Strong Security Guide.

aaa accounting login tacacs


Command Objective
This command is used to enable TACACS+ as the the accounting method globally.

Syntax
aaa accounting login tacacs

Parameter Description
tacacs
Specifies TACACS+ Accounting is enabled.

Mode
Global Configuration Mode

Defaults
no aaa accounting login tacacs

Example
aos (config)# aaa accounting login tacacs

Related Command(s)
login authentication
Controls if TACACS+ is enabled or not (in Node Administration CLI Commands).

tacacs-server
Register new TACACS+ server

no tacacs-server
Deregister TACACS+ server.

tacacs-client timeout
Set server timeout

no aaa accounting login tacacs

8 JULY 2018 AVIAT NETWORKS


TACACS+ CHAPTER 2

Disable TACACS+ accounting.

show system information


Show login authentication setting (in Node Diagnostic CLI Commands).

show tacacs-server
Displays tacacs-server configuration.

show aaa
Displays what method is being used for Authentication, Authorization and Accounting.

no aaa accounting login tacacs


Command Objective
This command is used to disable TACACS+ as the accounting method globally.

Syntax
no aaa accounting login tacacs

Parameter Description
tacacs
Specifies TACACS+ Accounting is disabled.

Mode
Global Configuration Mode

Defaults
TACACS+ accounting is disabled.

Example
aos (config)# no aaa accounting login tacacs

Related Commands
login authentication
Controls if TACACS+ is enabled or not (in Node Administration CLI Commands).

tacacs-server
Register new TACACS+ server.

no tacacs-server
Deregister TACACS+ server.

tacacs-client timeout
Set server timeout.

aaa accounting login tacacs


Enable TACACS+ accounting.

AVIAT NETWORKS JULY 2018 9


CHAPTER 2 TACACS+

show system information


Show login authentication setting (in Node Diagnostic CLI Commands).

show tacacs-server
Displays tacacs-server configuration.

show aaa
Displays what method is being used for Authentication, Authorisation and Accounting.

no tacacs-server
Command Objective
This command is used to remove the server which was registered at the specified index,
allowing for a new server to be registered at that index. After removal, no connection
attempt will be made to this server.

Syntax
no tacacs-server <index(1-3)>

Parameter Description
index
A number between 1 and 3, indicating the server to be removed.

Mode
Global Configuration Mode

Defaults
index

Example
aos (config)# no tacacs-server 2

Related Commands
login authentication
Controls if TACACS+ is enabled or not (in Node Administration CLI Commands).

tacacs-server
Register new TACACS+ server.

tacacs-client timeout
Set server timeout.

aaa accounting login tacacs


Enable TACACS+ accounting.

no aaa accounting login tacacs


Disable TACACS+ accounting.

10 JULY 2018 AVIAT NETWORKS


TACACS+ CHAPTER 2

show system information


Show login authentication setting (in Node Diagnostic CLI Commands).

show tacacs-server
Displays tacacs-server configuration.

show aaa
Displays what method is being used for Authentication, Authorisation and Accounting.

show aaa
Command Objective
This command displays what method is being used for authentication, authorization and
accounting.

Syntax
show aaa

Parameter Description
aaa
Specifies aaa to display the operational state of Authentication, Authorization and
Accounting.

Mode
Global Configuration Mode

Example
aos# show aaa
Authentication: TACACS+ only
Authorization: TACACS+ EXEC only
Accounting: TACACS+
Related Commands
login authentication
Controls if TACACS+ is enabled or not (in Node Administration CLI Commands).

tacacs-server
Register new TACACS+ server.

tacacs-client timeout
Set server timeout.

aaa accounting login tacacs


Enable TACACS+ accounting.

no aaa accounting login tacacs


Disable TACACS+ accounting.

show system information

AVIAT NETWORKS JULY 2018 11


CHAPTER 2 TACACS+

Show login authentication setting (in Node Diagnostic CLI Commands).

show tacacs-server
Displays tacacs-server configuration.

no tacacs-server
Deregister TACACS+ server.

show tacacs-server
Command Objective
This command lists the address and port of all TACACS+ servers that have been registered
with the TACACS+ client. If the user provides an index, only then the details of that server are
displayed.

Syntax
show tacacs-server [<index(1-3)>]

Parameter Description
index
A number between 1 and 3, where index 1 is the first server to be displayed and index
3 is the last.

Mode
Global Configuration Mode

Example
aos# show tacacs-server 1
Server: 1
Address : 12.0.0.100
TCP port : 49
Related Commands
login authentication
Controls if TACACS+ is enabled or not (in Node Administration CLI Commands).

tacacs-server
Register new TACACS+ server.

no tacacs-server
Deregister TACACS+ server.

tacacs-client timeout
Set server timeout.

aaa accounting login tacacs


Enable TACACS+ accounting.

12 JULY 2018 AVIAT NETWORKS


TACACS+ CHAPTER 2

no aaa accounting login tacacs


Disable TACACS+ accounting.

show system information


Show login authentication setting (in Node Diagnostic CLI Commands).

show aaa
Displays what method is being used for Authentication, Authorisation and Accounting.

tacacs-client timeout
Command Objective
This command sets the maximum amount of time in seconds which will be spent waiting for
a TACACS+ server to respond before moving on and attempting a connection on the next
server.

Syntax
tacacs-client timeout {<seconds(1-10)>}

Parameter Description
seconds
A number between 1 and 10 which specifies the number of seconds spent waiting for
a response from a TACACS+ server before assuming failure.

Mode
Global Configuration Mode

Defaults
5

Example
as (config)# tacacs-client timeout 3

Related Commands
login authentication
Controls if TACACS+ is enabled or not (in Node Administration CLI Commands).

tacacs-server
Register new TACACS+ server.

no tacacs-server
Deregister TACACS+ server.

aaa accounting login tacacs


Enable TACACS+ accounting.

no aaa accounting login tacacs

AVIAT NETWORKS JULY 2018 13


CHAPTER 2 TACACS+

Disable TACACS+ accounting.

show system information


Show login authentication setting (in Node Diagnostic CLI Commands).

show tacacs-server
Displays tacacs-server configuration.

show aaa
Displays what method is being used for authentication, authorization and accounting.

tacacs-server
Command Objective
This command registers a new TACACS+ server, specifying its address, port, and shared
key. The user can also provide an index which is used to determine the order in which
connection attempts will be made to the server. The server registered with the lowest index
is the first server that the CTR will try connecting to when authenticating a user. If CTR is
unable to establish a connection with the first server, it will try with the next server which
has a higher index value. This will continue until all of the registered servers have been tried
and none have resulted in a successful connection.

Syntax
tacacs-server [<index(1-3)>] address {<ipv4-address> | <ipv6-
address>} [port <tcp-port(1-65535)>] {key <secret key>}

Parameter Description
index
A number between 1 and 3, where index 1 is the first server to try to connect to and
index 3 is the last. Two servers cannot share the same index.

ipv4-address
Configures the IPv4 address of the TACACS+ server host.

Ipv6-address
Configures the IPv6 address of the TACACS+ server host.

tcp-port
Configures a specific TCP (Transaction Control Protocol) port to be used by the
TACACS+ protocol . The valid range of values is 1-65535.

secret-key
Configures the Per-server encryption key which specifies the authentication and
encryption key for all TACACS+ communications between the authen- ticator and the
TACACS+ server. The maximum length of the secret key string is 64 ASCII
characters. The key cannot contain white space or double quote characters.

Mode

14 JULY 2018 AVIAT NETWORKS


TACACS+ CHAPTER 2

Global Configuration Mode

Defaults
index: 1
tcp-port: 49

Example
aos (config)# tacacs-server address 12.0.0.1 key secret123
aos (config)# tacacs-server 2 address 12.0.0.2 port 18001 key
secret456

Related Commands
login authentication
Controls if TACACS+ is enabled or not (in Node Administration CLI Commands).

no tacacs-server
Dderegister TACACS+ server.

tacacs-client timeout
Sset server timeout.

aaa accounting login tacacs


Enable TACACS+ accounting.

no aaa accounting login tacacs


Disable TACACS+ accounting.

show system information


Show login authentication setting (in Node Diagnostic CLI Commands).

show tacacs-server
Displays tacacs-server configuration.

show aaa
Displays what method is being used for Authentication, Authorization and Accounting.

AVIAT NETWORKS JULY 2018 15


260-668517-001
WWW.AVIATNETWORKS.COM

You might also like