Configuring an external tacacs+ server – Cisco ASA 5505 User Manual
Page 1936
C-38
Cisco ASA 5500 Series Configuration Guide using the CLI
Appendix C Configuring an External Server for Authorization and Authentication
Configuring an External TACACS+ Server
Configuring an External TACACS+ Server
The ASA provides support for TACACS+ attributes. TACACS+ separates the functions of
authentication, authorization, and accounting. The protocol supports two types of attributes: mandatory
and optional. Both the server and client must understand a mandatory attribute, and the mandatory
attribute must be applied to the user. An optional attribute may or may not be understood or used.
Note
To use TACACS+ attributes, make sure that you have enabled AAA services on the NAS.
lists supported TACACS+ authorization response attributes for cut-through-proxy
connections.
lists supported TACACS+ accounting attributes.
.
Table C-9
Supported TACACS+ Authorization Response Attributes
Attribute
Description
acl
Identifies a locally configured access list to be applied to the connection.
idletime
Indicates the amount of inactivity in minutes that is allowed before the
authenticated user session is terminated.
timeout
Specifies the absolute amount of time in minutes that authentication credentials
remain active before the authenticated user session is terminated.
Table C-10
Supported TACACS+ Accounting Attributes
Attribute
Description
bytes_in
Specifies the number of input bytes transferred during this connection (stop
records only).
bytes_out
Specifies the number of output bytes transferred during this connection (stop
records only).
cmd
Defines the command executed (command accounting only).
disc-cause
Indicates the numeric code that identifies the reason for disconnecting (stop
records only).
elapsed_time
Defines the elapsed time in seconds for the connection (stop records only).
foreign_ip
Specifies the IP address of the client for tunnel connections. Defines the address
on the lowest security interface for cut-through-proxy connections.
local_ip
Specifies the IP address that the client connected to for tunnel connections. Defines
the address on the highest security interface for cut-through-proxy connections.
NAS port
Contains a session ID for the connection.
packs_in
Specifies the number of input packets transferred during this connection.
packs_out
Specifies the number of output packets transferred during this connection.
priv-level
Set to the user privilege level for command accounting requests or to 1 otherwise.
rem_iddr
Indicates the IP address of the client.
service
Specifies the service used. Always set to “shell” for command accounting only.