JUNOSe 9.1.x Broadband Access Configuration Guide > Configuring TACACS+ > Configuring TACACS+ Support

Configuring TACACS+ Support

To use TACACS+, you must enable AAA. To configure your router to support TACACS+, perform the following tasks. Some of the tasks are optional. Once you configure TACACS+ support on the router, you can configure TACACS+ authentication, authorization, and accounting independent of each other.

1. Specify the names of the IP host or hosts maintaining a TACACS+ server. Optionally, you can specify other parameters, such as port number, timeout interval, and key.

host1(config)#tacacs-server host 192.168.1.27 port 10 timeout 3 key 
your_secret primary

2. (Optional) Set the authentication and encryption key value shared by all TACACS+ servers that do not have a server-specific key set up by the tacacs-server host command.

host1(config)#tacacs-server key "&#889P^"

3. (Optional) Set alternative source address(es) to be used for TACACS+ server communications.

host1(config)#tacacs-server source-address 192.168.134.63

4. (Optional) Set the timeout value for all TACACS+ servers that do not have a server-specific timeout set up by the tacacs-server host command.

host1(config)#tacacs-server timeout 15

Configuring Authentication

Once TACACS+ support is enabled on the router, you can configure TACACS+ authentication. Perform the following steps:

1. Specify AAA new model as the authentication method for the vty lines on your router.

host1(config)#aaa new-model

2. Specify AAA authentication by defining an authorization methods list.

host1(config)#aaa authentication login tac tacacs+ radius enable

3. Specify the privilege level by defining a methods list that uses TACACS+ for authentication.

host1(config)#aaa authentication enable default tacacs+ radius enable

4. Configure vty lines.

host1(config)#line vty 0 4

5. Apply an authentication list to the vty lines you specified on your router.

host1(config-line)#login authentication tac

Configuring Accounting

Once TACACS+ support is enabled on the router, you can configure TACACS+ accounting. Perform the following steps:

1. Specify AAA new model as the accounting method for your router.

host1(config)#aaa new-model

2. Enable TACACS+ accounting on the router, and configure accounting method lists. For example:

host1(config)#aaa accounting exec default start-stop tacacs+

host1(config)#aaa accounting commands 0 listX stop-only tacacs+

host1(config)#aaa accounting commands 1 listX stop-only tacacs+

host1(config)#aaa accounting commands 13 listY stop-only tacacs+

host1(config)#aaa accounting commands 14 default stop-only tacacs+

host1(config)#aaa accounting commands 15 default stop-only tacacs+

3. (Optional) Specify that accounting records are not generated for users without explicit user names.

host1(config)#aaa accounting suppress null-username

4. Apply accounting method lists to a console or lines. For example:

host1(config)#line console 0 

host1(config-line)#accounting commands 0 listX

host1(config-line)#accounting commands 1 listX 

host1(config-line)#accounting commands 13 listY 

host1(config-line)#exit

host1(config)#line vty 0 4

host1(config-line)#accounting commands 13 listY

Note that Exec accounting and User Exec mode commands accounting for privilege levels 14 and 15 are now enabled for all lines and consoles with the creation of their default method list, as shown in Step 2.

aaa accounting commands

• Use to enable TACACS+ accounting and capture accounting information for a specific JUNOSe privilege level on the router and to create accounting method lists.
• Specify the JUNOSe privilege level (0 through 15) for which to capture accounting information.
• Specify default to configure the default method list, or configure a named method list. The default method list is used by lines and consoles unless a named method list is configured for them.
• Specify stop-only to send a stop accounting notice at the end of a process and tacacs+ as the accounting protocol.
• Example

host1(config)#aaa accounting commands 12 listX stop-only tacacs+

• Use the no version to delete the accounting method list.

aaa accounting exec

• Use to enable TACACS+ accounting and capture accounting information for User Exec terminal session on the router and to create accounting method lists.
• Specify default to configure the default method list, or configure a named method list. The default method list is used by lines and consoles unless a named method list is configured for them.
• Specify start-stop to send a start accounting notice at the beginning of a process and a stop accounting notice at the end of a successful process. Specify tacacs+ as the accounting protocol.
• Example

host1(config)#aaa accounting exec default start-stop tacacs+

• Use the no version to delete the accounting method list.

aaa accounting suppress null-username

• Use to prevent JUNOSe software from generating accounting records for users who do not have explicit usernames.
• Example

host1(config)#aaa accounting suppress null-username

• Use the no version to generate accounting records for users with null usernames.

aaa authentication enable default

• Use to allow privilege determination to be authenticated through the TACACS+ server. This command specifies a list of authentication methods that are used to determine whether a user is granted access to the privilege command level.
• The authentication methods that you can use in a list include these options: radius, line, tacacs+, none, and enable.
• To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
• Requests sent to a TACACS+ server include the username that is entered for login authentication.
• If a default authentication routine is not set for a function, the default is none, and no authentication is performed.
• If the authentication method list is empty, the local enable password is used.
• Example

host1(config)#aaa authentication enable default tacacs+ radius

• Use the no version to empty the list.

aaa authentication login

• Use to set AAA authentication at login. This command creates a list that specifies the methods of authentication.
• Once you specify aaa new-model as the authentication method for vty lines, an authentication list called "default" is automatically assigned to the vty lines. To allow users to access the vty lines, you must create an authentication list and either:

• Name the list "default."
• Assign a different name to the authentication list, and assign the new list to the vty line using the login authentication command.

• The authentication methods that you can use in a list include these options: radius, line, tacacs+, none, and enable.
• The router traverses the list of authentication methods to determine whether a user is allowed to start a Telnet session. If a specific method is available but the user information is not valid (such as an incorrect password), the router does not continue to traverse the list and denies the user a session.
• If a specific method is unavailable, the router continues to traverse the list. For example, if tactacs+ is the first authentication type element on the list and the TACACS+ server is unreachable, the router attempts to authenticate with the next authentication type on the list, such as radius.
• The router assumes an implicit denial of service if it reaches the end of the authentication list without finding an available method.
• Example

host1(config)#aaa authentication login my_auth_list tacacs+ radius line none

• Use the no version to remove the authentication list from your configuration.

aaa new-model

• Use to specify AAA new model as the authentication method for the vty lines on your router.
• If you specify AAA new model and you do not create an authentication list, users will not be able to access the router through a vty line.
• Example

host1(config)#aaa new-model

• Use the no version to restore simple authentication (login and password).

accounting

• Use to specify accounting method lists used on a console or vty line. Consoles and lines are initially configured with the default method list for all accounting service types (for example, Exec, Commands).
• Specify exec to capture accounting information for User Exec terminal sessions or commands to capture accounting information for User Exec mode commands at the indicated JUNOSe privilege level (0 through 15).
• Specify the name of the method list to be applied to the line or console.
• To disable accounting for a line or console, specify a nonexisting accounting method list name (for example, noAccounting).
• Example

host1(config)#accounting commands 12 listY

• Use the no version to restore the default method list.

line

• Use to open or configure console or vty lines.
• You can specify a single line or a range of lines. The range is 0 though 29 for vty lines, 0 for the console line.
• Example

host1(config)#line vty 6 10

host1(config-line)# 

• Use the no version to remove a line or a range of lines from the configuration. Lines that you remove will no longer be available for use by telnet, FTP, or SSH. When you remove a vty line, the router removes all lines above that line. For example, no line vty 6 causes the router to remove lines 6 through 19. You cannot remove lines 0 through 4.

login authentication

• Use to apply an authentication list to the vty lines you specified on your router.
• Example

host1(config-line)#login authentication my_auth_list

• Use the no version to specify that the router should use the default authentication list.

tacacs-server host

• Use to add or delete a host to or from the list of TACACS+ servers.
• You can optionally specify a nondefault port number, a host-specific key, a single connection and a timeout interval.
• Use the primary keyword to assign the host as the primary host.
• If a timeout value is specified, it overrides the global timeout value set with the tacacs-server timeout command for this server only.
• You can configure additional hosts by using this command. The designated primary host is always the first in the search order; the remaining hosts are contacted in the order in which they were created. If the primary host is deleted, or if you modify the primary host without specifying the primary keyword, the next host in the search order becomes the primary host. The search order is maintained when the NAS is reloaded.
• Example

host1(config)#tacacs-server host 192.168.1.27 port 10 timeout 3 key 
your_secret primary

host1(config)#no tacacs-server host 192.168.1.27

• Use the no version to delete the host from the list of TACACS+ servers.

tacacs-server key

• Use to set or reset the authentication encryption key value shared by all TACACS+ servers that do not have a server-specific key set up by the tacacs-server host command.
• This key must match the key configured on the TACACS+ process.
• Leading spaces are ignored; however, spaces at the end of the key are recognized. If you use spaces in the key, do not enclose the key in quotation marks.
• Example

host1(config)#tacacs-server key &# 889khj

• Use the no version to reset a key value shared by all TACACS+ servers.

tacacs-server source-address

• Use to set or reset an alternative source address to be used for TACACS+ server communications.
• Existing connections are not affected by this command.
• Example

host1(config)#tacacs-server source-address 192.168.134.63

• Use the no version to remove the address.

tacacs-server timeout

• Use to set the interval in seconds that the server waits for the server host to reply. The specified interval is shared by all TACACS+ servers that do not have a server-specific timeout set up by tacacs-server host command.
• The timeout interval is between 1 and 300. The default is 5 seconds.
• Example

host1(config)#tacacs-server timeout 15

• Use the no version to reset the timeout to the default.