You can use TACACS+ to track and log software logins, configuration changes, and interactive commands. To audit these events, include the following statements at the [edit system accounting] hierarchy level:
Tasks for configuring TACACS+ system accounting are:
To specify the events you want to audit when using a TACACS+ server for authentication, include the events statement at the [edit system accounting] hierarchy level:
events is one or more of the following:
To configure TACACS+ server accounting, include the server statement at the [edit system accounting destination tacplus] hierarchy level:
server-address specifies the address of the TACACS+ server. To configure multiple TACACS+ servers, include multiple server statements.
Note: If no TACACS+ servers are configured at the [edit system accounting destination tacplus] statement hierarchy level, the JUNOS software uses the TACACS+ servers configured at the [edit system tacplus-server] hierarchy level.
port-number specifies the TACACS+ server port number.
You must specify a secret (password) that the local router passes to the TACACS+ client by including the secret statement. If the password contains spaces, enclose the entire password in quotation marks (“ ”). The password used by the local router must match that used by the server.
Optionally, you can specify the length of time that the local router waits to receive a response from a TACACS+ server by including the timeout statement. By default, the router waits 3 seconds. You can configure this to be a value in the range from 1 through 90 seconds.
Optionally, you can maintain one open TCP connection to the server for multiple requests, rather than opening a connection for each connection attempt, by including the single-connection statement.
To ensure that start and stop requests for accounting of login events are correctly logged in the Accounting file instead of the Administration log file on a TACACS+ server, include either the no-cmd-attribute-value statement or the exclude-cmd-attribute at the [edit system tacplus-options] hierarchy level.
If you use the no-cmd-attribute-value statement, the value of the cmd attribute is set to a null string in the start and stop requests. If you use the exclude-cmd-attribute statement, the cmd attribute is totally excluded from the start and stop requests. Both statements support the correct logging of accounting requests in the Accounting file, instead of the Administration file.
- [edit system tacplus-options]
- (no-cmd-attribute-value | exclude-cmd-attribute);