SRC Template Accounts for RADIUS and TACACS+ Authentication Overview
When a user logs in to the CLI, the following authentication is performed:
RADIUS or TACACS+ (or both) server authentication
Authentication through a user account configured under [system login user]
For authorization purposes, you can use a template account to create a single account that can be shared by a set of users at the same time.
Typically when you use RADIUS and/or TACACS+ authentication, the user account is shared among a group of users who have the same privileges. You create template accounts for sets of users. Template accounts can be named:
remote—(Default) A single account that defines user permissions for all users that authenticate through RADIUS or TACACS+
name-of-your-choice—Account for a group of users
Use a named template account when you need different types of templates. Each template can define a different set of permissions appropriate to a group of users who use that template. For example, you can configure a set of remote users to concurrently share a single UID.
When a user is part of a group that uses a template account, the command-line interface (CLI) username is the login name; however, the privileges, file ownership, and effective username are inherited from the template account.
Named Template Accounts
Template accounts for which you define a name are defined on a C Series Controller and are referenced by the TACACS+ and RADIUS authentication servers through usernames. All users who share a local user template account have the same access privileges.
When a user who accesses the C Series Controller through a named template account logs in:
The user provides a login name and password at the system login prompts.
The system authenticates the user as configured based on the login name and password.
If the authentication succeeds, the system loads the user profile as configured by the system login user login-name statement. If a profile is not configured through the system login user login-name statement, the system uses the profile configured through the system login user remote statement.
If authentication fails, or a profile could not be loaded, the login attempt fails.
To ensure that remote users have a unique uid, we require a named template for each remote user.