authorization-time-interval

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 17.4R1.

Description

Configure the time interval at which the JUNOS device has to fetch the authorization profile configuration from the TACACS+ server and refresh the authorization profile stored locally on the JUNOS device. The TACACS+ server sends the authorization profile once by default after the user is successfully authenticated, and the authorization profile is stored locally on the JUNOS device. The authorization profile refresh feature enables the JUNOS device to check the authorization profile configured remotely on the TACACS+ server at the configured time interval.

If there is a change in the remote authorization profile, the device fetches the authorization profile from the TACACS+ server and the authorization profile configured locally under the login class hierarchy. The device refreshes the authorization profile stored locally by combining the remote and locally-configured authorization profiles. This ensures that any changes made to the authorization profile configuration on the TACACS+ server are reflected on the JUNOS device without the user having to restart the authentication process.

To enable periodic refresh of the authorization profile, you must set the time interval at which the JUNOS device has to fetch the authorization profile configuration from the TACACS+ server and refresh the authorization profile stored locally. The time interval can be configured directly on the TACACS+ server or locally on the JUNOS device using the CLI. Use the following guidelines to determine which time interval configuration takes precedence:

  • If there is no refresh time interval configured on the TACACS server for periodic refresh, the JUNOS device does not receive the time interval value in the authorization response. In this case, the value configured locally on the JUNOS device will take effect.

  • If the refresh time interval is configured on the TACACS server and there is no refresh time interval configured locally on the JUNOS device, the value configured on the TACACS server will take effect.

  • If refresh time interval is configured on the TACACS server and also on the JUNOS device locally, the value configured on the TACACS server will take precedence.

  • If there is no refresh time interval configured on the TACACS server and there is no refresh time interval configured on the JUNOS device, there will be no periodic refresh.

  • If the refresh time interval configured on the TACACS server is out of range or invalid, the refresh time interval value configured locally will take effect.

  • If the refresh time interval configured on the TACACS server is out of range or invalid and there is no refresh time interval configured locally, there will be no periodic refresh.

After the periodic refresh time interval is set, if the user changes the refresh interval before the authorization request is sent from the JUNOS device, the updated refresh interval takes effect after the next immediate periodic refresh.

Default

If the authorization time interval is not configured, the authorization profile is not refreshed during a TACACS+ authentication session.

Options

minutesThe time interval at which the authorization profile that is configured on the TACACS+ server is fetched by the JUNOS device during a TACACS+ authentication session.

Range: 15 to 1440 minutes.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.