Technical Documentation

Configuring TACACS+ System Accounting

You can use TACACS+ to track and log software logins, configuration changes, and interactive commands. To audit these events, include the following statements at the [edit system accounting] hierarchy level:

[edit system accounting]events [ events ];destination {tacplus {server {server-address {port port-number;secret password;single-connection;timeout seconds;}}}}

Tasks for configuring TACACS+ system accounting are:

  1. Specifying TACACS+ Auditing and Accounting Events
  2. Configuring TACACS+ Server Accounting

Specifying TACACS+ Auditing and Accounting Events

To specify the events you want to audit when using a TACACS+ server for authentication, include the events statement at the [edit system accounting] hierarchy level:

[edit system accounting]events [ events ];

events is one or more of the following:

  • login—Audit logins
  • change-log—Audit configuration changes
  • interactive-commands—Audit interactive commands (any command-line input)

Configuring TACACS+ Server Accounting

To configure TACACS+ server accounting, include the server statement at the [edit system accounting destination tacplus] hierarchy level:

[edit system accounting destination tacplus]server {server-address {port port-number;secret password;single-connection;timeout seconds;}}

server-address specifies the address of the TACACS+ server. To configure multiple TACACS+ servers, include multiple server statements.

Note: If no TACACS+ servers are configured at the [edit system accounting destination tacplus] statement hierarchy level, the JUNOS Software uses the TACACS+ servers configured at the [edit system tacplus-server] hierarchy level.

port-number specifies the TACACS+ server port number.

You must specify a secret (password) that the local router or switch passes to the TACACS+ client by including the secret statement. If the password contains spaces, enclose the entire password in quotation marks (“ ”). The password used by the local router or switch must match that used by the server.

Optionally, you can specify the length of time that the local router or switch waits to receive a response from a TACACS+ server by including the timeout statement. By default, the router or switch waits 3 seconds. You can configure this to be a value in the range from 1 through 90 seconds.

Optionally, you can maintain one open TCP connection to the server for multiple requests, rather than opening a connection for each connection attempt, by including the single-connection statement.

To ensure that start and stop requests for accounting of login events are correctly logged in the Accounting file instead of the Administration log file on a TACACS+ server, include either the no-cmd-attribute-value statement or the exclude-cmd-attribute at the [edit system tacplus-options] hierarchy level.

If you use the no-cmd-attribute-value statement, the value of the cmd attribute is set to a null string in the start and stop requests. If you use the exclude-cmd-attribute statement, the cmd attribute is totally excluded from the start and stop requests. Both statements support the correct logging of accounting requests in the Accounting file, instead of the Administration file.

[edit system tacplus-options](no-cmd-attribute-value | exclude-cmd-attribute);

Published: 2010-04-26