TACACS+ Authentication
Learn about the TACACS+ protocol to authenticate device access.
Where Can I Use This? | What Do I Need? |
TACACS+ (Terminal Access Controller Access Control System+), a protocol to
provide centralized authentication, authorization, and accounting (AAA) services,
controls network device access, and SSH login for controller nodes in a network
infrastructure. TACACS+ uses a TACACS+ server profile to record user behavior, such as
when a user started using a specific service, the duration of the service used, and when
they stopped using the service. This helps to create logs and records of the initiation
and termination of services and any services in progress during the user’s session,
which you can use for auditing purposes.
A device TACACS+ profile consists of multiple configured TACACS+ servers. You
can
add a maximum of four servers, depending on
servers reachability, the system tries to sequentially connect to the
available servers in the profile. If a user is present in the TACACS+ server
and enters the correct credentials, the user will be able to log in
successfully. If a user isn't available in any database, the user won't be
able to log in. If a user is present in both TACACS+ and local database,
local authentication is used. If a device is not online, the AAA server is
reachable and the user is in the TACACS+ database, the user can log in using
an SSH/remote connection.
The allowed user name options for the TACACS+ authentication
are:
- alpha numeric characters (a-z, A-Z, 0-9)
- Underscore ( _ )
- Hyphen (-)
An ION device generates a log when the TACACS+ server successfully provides the
accounting records to the server that you configure in the profile. If the device is
unable to send the accounting records to any of the servers in the profile, the device
generates a critical severity alert to the system logs.