Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

131

132

133

134

135

136

137

138

139

140

116 ServerIron ADX Administration Guide

53-1002434-01

Configuring TACACS or TACACS+ security

Telnet or SSH prompts when TACACS+ server is unavailable

When TACACS+ is the first method in the authentication method list, the device displays the login

prompt received from the TACACS+ server. If a user attempts to login through Telnet or SSH, but

none of the configured TACACS+ servers are available, the following takes place:

• If the next method in the authentication method list is "enable", the login prompt is skipped,

and the user is prompted for the Enable password (that is, the password configured with the

enable super-user-password command).

• If the next method in the authentication method list is "line", the login prompt is skipped, and

the user is prompted for the Line password (that is, the password configured with the enable

telnet password command).

Configuring TACACS+ authorization

ServerIrons support TACACS+ authorization for controlling access to management functions in the

CLI. Two kinds of TACACS+ authorization are supported:

• Exec authorization determines a user’s privilege level when they are authenticated

• Command authorization consults a TACACS+ server to get authorization for commands entered

by the user

Configuring Exec authorization

When TACACS+ exec authorization is performed, the ServerIron consults a TACACS+ server to

determine the privilege level of the authenticated user. To configure TACACS+ exec authorization

on the ServerIron, enter the following command.

ServerIronADX(config)# aaa authorization exec default tacacs+

Syntax: aaa authorization exec default tacacs+ | none

If you specify none, or omit the aaa authorization exec command from the device’s configuration,

no exec authorization is performed.

A user’s privilege level is obtained from the TACACS+ server in the “brocade-privlvl” A-V pair. If the

aaa authorization exec default tacacs command exists in the configuration, the device assigns the

user the privilege level specified by this A-V pair. If the command does not exist in the

configuration, then the value in the “brocade-privlvl” A-V pair is ignored, and the user is granted

Super User access.

NOTE

If the aaa authorization exec default tacacs+ command exists in the configuration, following

successful authentication the device assigns the user the privilege level specified by the

“brocade-privlvl” A-V pair received from the TACACS+ server. If the aaa authorization exec default

tacacs+ command does not exist in the configuration, then the value in the “brocade-privlvl” A-V pair

is ignored, and the user is granted Super User access.

Also note that in order for the aaa authorization exec default tacacs+ command to work, either the

aaa authentication enable default tacacs+ command, or the aaa authentication login

privilege-mode command must also exist in the configuration.