Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

SRC Template Accounts for RADIUS and TACACS+ Authentication

 

SRC Template Accounts for RADIUS and TACACS+ Authentication Overview

When a user logs in to the CLI, the following authentication is performed:

  • RADIUS or TACACS+ (or both) server authentication

  • Authentication through a user account configured under [system login user]

For authorization purposes, you can use a template account to create a single account that can be shared by a set of users at the same time.

Typically when you use RADIUS and/or TACACS+ authentication, the user account is shared among a group of users who have the same privileges. You create template accounts for sets of users. Template accounts can be named:

  • remote—(Default) A single account that defines user permissions for all users that authenticate through RADIUS or TACACS+

  • name-of-your-choice—Account for a group of users

Use a named template account when you need different types of templates. Each template can define a different set of permissions appropriate to a group of users who use that template. For example, you can configure a set of remote users to concurrently share a single UID.

When a user is part of a group that uses a template account, the command-line interface (CLI) username is the login name; however, the privileges, file ownership, and effective username are inherited from the template account.

Named Template Accounts

Template accounts for which you define a name are defined on a C Series Controller and are referenced by the TACACS+ and RADIUS authentication servers through usernames. All users who share a local user template account have the same access privileges.

When a user who accesses the C Series Controller through a named template account logs in:

  1. The user provides a login name and password at the system login prompts.

  2. The system authenticates the user as configured based on the login name and password.

    See Configuring Authentication Order.

  3. If the authentication succeeds, the system loads the user profile as configured by the system login user login-name statement. If a profile is not configured through the system login user login-name statement, the system uses the profile configured through the system login user remote statement.

    If authentication fails, or a profile could not be loaded, the login attempt fails.

Note

To ensure that remote users have a unique uid, we require a named template for each remote user.

Using Remote Template Accounts (SRC CLI)

To configure the remote template account and specify the privileges that you want to grant to remote users:

  • Include the system login user remote statement at the [edit] hierarchy level, and specify the “ All remote users” for the full-name option:

Note

To ensure that remote users have a unique uid, we require a named template for each remote user.

All users who share the remote template account have the same access privileges.

Configuring a Local SRC User Template (SRC CLI)

To configure a local user template and specify the privileges that you want to grant to the local users to whom the template applies:

  • Include the system login user local-username statement at the [edit] hierarchy level, and specify the name of the group for the full-name option.