DANOS supports a range of TACACS+ client functionality including full session AAA (Authentication, Authorization, Accounting) along with command authorization and accounting.

Configuring use of TACACS+ servers

To use TACACS+ functionality a DANOS system must be configured with TACACS+ servers which can be contacted to perform transactions.

DANOS supports the use of multiple TACACS+ servers for resiliency purposes. When performing a TACACS+ transaction DANOS attempts to use servers in highest → lowest priority order. Server priority is determined by order of configuration; the first configured server will have the highest priority with each subsequent server having a lower priority than the previous one. The show system tacplus status operational command displays output in priority order and can, therefore, be used to verify ordering.

Configure use of a TACACS+ server by issuing the following command:

# set system login tacplus-server <address> secret <secret>

If the servers are not reachable from the default routing instance, you can instead apply the configuration to a user-defined routing instance:

# set routing routing-instance <name> system login tacplus-server <address> secret <secret>

By default, as soon as TACACS+ servers have been configured session AAA functionality is available.

Check operational status

The show system tacplus status operational command can be used to check the operational status, and transaction statistics, of the various configured TACACS+ servers.

Session functionality

Authentication

…

Chain

…

Command functionality

Accounting

To enable command accounting for all users issue the following configuration command:

# set system tacplus-options command-accounting

Accounting records are issued to the highest priority TACACS+ server which is operational.

Standards conformance

DANOS aims to conform to draft-grant-tacacs-02.