DANOS supports a range of TACACS+ client functionality including full session AAA (Authentication, Authorization, Accounting) along with command authorization and accounting.
Configuring use of TACACS+ servers
To use TACACS+ functionality a DANOS system must be configured with TACACS+ servers which can be contacted to perform transactions.
DANOS supports the use of multiple TACACS+ servers for resiliency purposes. When performing a TACACS+ transaction DANOS attempts to use servers in highest → lowest priority order. Server priority is determined by order of configuration; the first configured server will have the highest priority with each subsequent server having a lower priority than the previous one. The show system tacplus status
operational command displays output in priority order and can, therefore, be used to verify ordering.
Configure use of a TACACS+ server by issuing the following command:
# set system login tacplus-server <address> secret <secret>
If the servers are not reachable from the default routing instance, you can instead apply the configuration to a user-defined routing instance:
# set routing routing-instance <name> system login tacplus-server <address> secret <secret>
Currently, TACACS+ may only be configured in a single routing instance (default inclusive)
By default, as soon as TACACS+ servers have been configured session AAA functionality is available.
Check operational status
The show system tacplus status
operational command can be used to check the operational status, and transaction statistics, of the various configured TACACS+ servers.
Session functionality
Authentication
…
Chain
…
Command functionality
Accounting
To enable command accounting for all users issue the following configuration command:
# set system tacplus-options command-accounting
Accounting records are issued to the highest priority TACACS+ server which is operational.
Standards conformance
DANOS aims to conform to draft-grant-tacacs-02.