TACACS+

DANOS supports a range of TACACS+ client functionality including full session AAA (Authentication, Authorization, Accounting) along with command authorization and accounting.

 

Configuring use of TACACS+ servers

To use TACACS+ functionality a DANOS system must be configured with TACACS+ servers which can be contacted to perform transactions.

DANOS supports the use of multiple TACACS+ servers for resiliency purposes. When performing a TACACS+ transaction DANOS attempts to use servers in the highest to the lowest priority order. Server priority is determined by order of configuration; the first configured server will have the highest priority with each subsequent server having a lower priority than the previous one. The show system tacplus status operational command displays output in priority order and can, therefore, be used to verify the order.

Configure use of a TACACS+ server by issuing the following command:

1 # set system login tacplus-server <address> secret <secret>

If the servers are not reachable from the default routing instance, you can instead apply the configuration to a user-defined routing instance:

1 # set routing routing-instance <name> system login tacplus-server <address> secret <secret>

Currently, TACACS+ may only be configured in a single routing instance (default inclusive)

By default, as soon as TACACS+ servers have been configured session AAA functionality is available.

Check operational status

The show system tacplus status operational command can be used to check the operational status, and transaction statistics, of the various configured TACACS+ servers.

Authentication

Authorization

The capabilities of command authorization are much more coarse than ACM. For example, when loading a configuration using the "load" command, ACM is able to authorize all of the actual configuration being loaded. Command authorization on the other hand will simply authorize "load <file>". Therefore when command authorization is enabled and a user is permitted to run "load", we are implicitly saying that the user is allowed to change any configuration on the system.

Accounting

To enable command accounting for all users issue the following configuration command:

1 # set system tacplus-options command-accounting

Accounting records are issued to the highest priority TACACS+ server which is operational.

Standards conformance

DANOS aims to conform to draft-grant-tacacs-02.