Configuring Periodic Refresh of the TACACS+ Authorization Profile

 

When you configure a JUNOS device to use a TACACS+ server for authentication, the device prompts users for login information, which is verified by the TACACS+ server. After the user is successfully authenticated, the JUNOS device sends an authorization request to the TACACS+ server to obtain the authorization profile for the user. Authorization profiles specify the access permissions for authenticated users or devices.

The TACACS+ server sends the authorization profile as part of an authorization response message. The remote user configured on the TACACS+ server is mapped to a local user configured on the JUNOS device. The JUNOS device combines the remote authorization profile with the locally-configured authorization profile for the user, which is configured at the [edit system login class] hierarchy level.

The exchange of authorization request and response messages occurs only once, after successful authentication, by default. You can configure the JUNOS device to periodically fetch the remote authorization profile from the TACACS+ server and refresh the authorization profile stored locally. This ensures that any change in the authorization parameters are reflected on the local device without the user having to restart the authentication process.

To enable periodic refresh of the authorization profile, you must set the time interval at which the JUNOS device checks the authorization profile configured remotely on the TACACS+ server. If there is a change in the remote authorization profile, the device fetches the authorization profile from the TACACS+ server and the authorization profile configured under the login class hierarchy. The device refreshes the authorization profile stored locally by combining the remote and locally-configured authorization profiles.

The time interval can be configured directly on the TACACS+ server or locally on the JUNOS device using the CLI. The time interval is configured in minutes, in the range of 15 to 1440 minutes.

  • To configure periodic refresh of the authorization profile on the local device using the CLI, include the authorization-time-interval statement at the [edit system tacplus-options] hierarchy level:
  • To configure the time interval for periodic refresh on the TACACS+ server, add the time interval as a parameter in the authorization profile using the following syntax:

Use the following guidelines to determine which time interval configuration takes precedence:

  • If there is no refresh time interval configured on the TACACS server for periodic refresh, the JUNOS device does not receive the time interval value in the authorization response. In this case, the value configured locally on the JUNOS device will take effect.

  • If the refresh time interval is configured on the TACACS server and there is no refresh time interval configured locally on the JUNOS device, the value configured on the TACACS server will take effect.

  • If refresh time interval is configured on the TACACS server and also on the JUNOS device locally, the value configured on the TACACS server will take precedence.

  • If there is no refresh time interval configured on the TACACS server and there is no refresh time interval configured on the JUNOS device, there will be no periodic refresh.

  • If the refresh time interval configured on the TACACS server is out of range or invalid, the refresh time interval value configured locally will take effect.

  • If the refresh time interval configured on the TACACS server is out of range or invalid and there is no refresh time interval configured locally, there will be no periodic refresh.

After the periodic refresh time interval is set, if the user changes the refresh interval before the authorization request is sent from the JUNOS device, the updated refresh interval takes effect after the next immediate periodic refresh.