Confi gure > tacacs+ 4.92 – Westermo MR Series User Manual

262

6622-3201

Web Interface and Command Line Reference Guide

www.westermo.com

Confi gure > TACACS+

4.92

Westermo routers support Terminal Access Controller Access-Control System Plus (TACACS+) for
controlling user access to the Westermo router. TACACS+ provides authentication, authorisation
and accounting (AAA) services.

TACACS+ can be used to control the following access methods:

Secured ASY ports, Telnet, SSH, FTP, HTTP/HTTPS & SNMP.

When any sort of request is to be performed by the TACACS+ client, the client first checks to see
if a socket is already open to the server (either primary or backup). If a socket is already open, that
socket is used for the TACACS+ request. If no socket is open, the primary server is tried first. If
the primary server socket fails to open, the backup server will be tried. Regardless of whether the
primary or backup socket connected, the primary server is always tried with the next connection
attempt. If the socket becomes idle for the configured number of seconds, the socket is closed.
Once the connection to the TACACS+ server opens, all pending requests are sent to the TACACS+
server.

If a connection to the TACACS+ server isn’t possible due to network or server problems, all
requests by applications are denied.

Functions of the AAA services

If TACACS+ authentication is enabled, the request is sent to the TACACS+ server. If disabled,
the Westermo router does the authentication. At this point, authorisation is also performed. If
TACACS+ authorisation is disabled, the user access level granted is obtained from the local user
table on the unit. If TACACS+ authorisation is enabled, an authorisation request is sent to the
TACACS+ server. The server will return a privilege level and may also return other attributes such
as a new idle time for this session which take preference over locally configured values on the unit.

When access has been authenticated and authorised the login is allowed. If the connection is via tel-
net or SSH, a welcome message will be displayed that will show the access level and the method of

authentication.

If the access level was assigned locally, the following message will be displayed:

Welcome. Your access level is SUPER

If the access level was assigned by the TACACS+ server, the following message will be displayed:

Welcome. Your access level is obtained remotely.

If accounting is enabled, session start and stop messages are sent to the TACACS+ server when
the session opens and closes. During the session, details of commands executed and denied due
to access levels will be sent to the TACACS+ server. At the end of the session, the stop message is
sent to the TACACS+ server with elapsed session time included.

TACACS+ to local privilege level mappings:

TACACS+ level

Local level

>=15

Super

12-14

High

8-11

Medium

4-8

Low

0-3

None