Configuring TACACS+ System Accounting

 

You can use TACACS+ to track and log software logins, configuration changes, and interactive commands. To audit these events, include the following statements at the [edit system accounting] hierarchy level:

Tasks for configuring TACACS+ system accounting are:

Specifying TACACS+ Auditing and Accounting Events

To specify the events you want to audit when using a TACACS+ server for authentication, include the events statement at the [edit system accounting] hierarchy level:

events is one or more of the following:

  • login—Audit logins

  • change-log—Audit configuration changes

  • interactive-commands—Audit interactive commands (any command-line input)

Configuring TACACS+ Server Accounting

To configure TACACS+ server accounting, include the server statement at the [edit system accounting destination tacplus] hierarchy level:

server-address specifies the address of the TACACS+ server. To configure multiple TACACS+ servers, include multiple server statements.

Note

If no TACACS+ servers are configured at the [edit system accounting destination tacplus] statement hierarchy level, the Junos OS uses the TACACS+ servers configured at the [edit system tacplus-server] hierarchy level.

We recommend that you add the following configuration at the [edit system accounting destination tacplus] statement hierarchy level to identify a destination and help avoid generating an error condition:

port-number specifies the TACACS+ server port number.

routing-instance routing-instance is the name of the routing instance used to send and receive TACACS+ packets. By default, Junos OS routes authentication, authorization, and accounting packets for TACACS+ through the default routing instance. Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support routing TACACS+ packets through a management interface in a non-default VRF instance named mgmt_junos. For more information on this VRF management instance, see Configuring TACACS+ To Use the Management Instance. Starting in Junos OS Release 18.2R1, you can route TACACS+ traffic through any routing instance you configure in accounting.

You must specify a secret (password) that the local router or switch passes to the TACACS+ client by including the secret statement. If the password contains spaces, enclose the entire password in quotation marks (“ ”). The password used by the local router or switch must match that used by the server.

Optionally, you can specify the length of time that the local router or switch waits to receive a response from a TACACS+ server by including the timeout statement. By default, the router or switch waits 3 seconds. You can configure this to be a value in the range from 1 through 90 seconds.

Optionally, you can maintain one open TCP connection to the server for multiple requests, rather than opening a connection for each connection attempt, by including the single-connection statement.

To ensure that start and stop requests for accounting of login events are correctly logged in the Accounting file instead of the Administration log file on a TACACS+ server, include either the no-cmd-attribute-value statement or the exclude-cmd-attribute at the [edit system tacplus-options] hierarchy level.

If you use the no-cmd-attribute-value statement, the value of the cmd attribute is set to a null string in the start and stop requests. If you use the exclude-cmd-attribute statement, the cmd attribute is totally excluded from the start and stop requests. Both statements support the correct logging of accounting requests in the Accounting file, instead of the Administration file.

Configuring TACACS+ To Use the Management Instance

By default, Junos OS routes authentication, authorization, and accounting packets for TACACS+ through the default routing instance. Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support a management interface in a non-default VRF instance.

When the routing-instance mgmt_junos option is configured in both the tacplus-server server-address and the tacplus server server-ip statements, provided the management-instance statement is also configured, TACACS+ packets are routed through the management instance mgmt_junos.

Note

The routing-instance mgmt_junos option must be configured in both the tacplus-server and the tacplus server statements. If not, even if the management-instance statement is set, TACACS+ packets will still be sent using the default routing instance only.

For more details on this management instance, see management-instance.

Configuring TACACS+ Accounting on a TX Matrix Router

On a TX Matrix router, TACACS+ accounting should be configured only under the groups re0 and re1.

Note

Accounting should not be configured at the [edit system] hierarchy; on a TX Matrix router, control is done under the switch-card chassis only.

Release History Table
Release
Description
Starting in Junos OS Release 18.2R1, you can route TACACS+ traffic through any routing instance you configure in accounting.
Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support routing TACACS+ packets through a management interface in a non-default VRF instance named mgmt_junos.
Starting in Junos OS Release 17.4R1, existing TACACS+ behavior is enhanced to support a management interface in a non-default VRF instance.