Configuring TACACS+ for Non-local VPN Authentication
By default TACACS+ authentication is associated with login to the local context. TACACS+ authentication
can also be configured for non-local context VPN logins. TACACS+ must configured and enabled with the
option described below.
A stop keyword option is available for the TACACS+ Configuration mode on-unknown-user command. If
TACACS+ is enabled with the command-keyword option, the VPN context name into which the user is
attempting a login must match the VPN name specified in the username string. If the context name does not
match, the login fails and exits out.
Without this option the login sequence will attempt to authenticate in another context via an alternative login
method. For example, without the on-unknown-user stop configuration, an admin account could log into
the local context via the non-local VPN context. However, with the on-unknown-user stop configuration,
the local context login would not be attempted and the admin account login authentication would fail.
configure
tacacs mode
on-unkown-user stop ?
end
Verifying the TACACS+ Configuration
This section describes how to verify the TACACS+ configuration.
Log out of the system CLI, then log back in using TACACS+ services.
Once TACACS+ AAA services are configured and enabled on the StarOS, the system first will try to
authenticate the administrative user via TACACS+ AAA services. By default, if TACACS+ authentication
fails, the system then continues with authentication using non-TACACS+ AAA services.
Important
At the Exec Mode prompt, enter the following command:
show tacacs [ client | priv-lvl | session | summary ]
The output of the show tacacs commands provides summary information for each active TACACS+ session
such as username, login time, login status, current session state and privilege level. Optional filter keywords
provide additional information.
An example of this command's output is provided below. In this example, a system administrative user named
asradmin has successfully logged in to the system via TACACS+ AAA services.
active session #1:
login username : asradmin
login tty : /dev/pts/1
time of login : Fri Oct 22 13:19:11 2011
login server priority : 1
current login status : pass
current session state : user login complete
current privilege level : 15
remote client application : ssh
remote client ip address : 111.11.11.11
last server reply status : -1
total TACACS+ sessions : 1
ASR 5500 System Administration Guide, StarOS Release 21.4
63
System Settings
Configuring TACACS+ for Non-local VPN Authentication
To Next Page
Loading...
Need help?
General
