Enables the recording of the start and the stop time each command issued during a TACACS+-authenticated CLI session.

no

Disables a speicifed TACACS+ accounting setting.

command

Enables accounting on a command-by-command basis. The TACACS+ server is contacted prior to the execution of the command and the command which is about to be executed is recorded. Only commands which are valid for the user privilege and context (mode) in which they are about to be executed will be recorded. StarOS does not record whether the command itself succeeded or failed. For security reasons, some secure or restricted commands are not recorded. In such cases, the accounting record will record the command as three asterisks ("***").

start-stop

Records the time at which the session starts (the time at which the user passes authentication) and the time at which the user exits. If a user exits before passing authentication, only a stop time is recorded.

Example

accounting command 

Enables the authorization of TACACS+ CLI users on a command-by-command, command + command argument, or command prompt basis. If the user is not authorized to execute the command, the command will fail.

no

Disables a specified TACACS+ authorization type.

arguments

Enables per-command and command + argument authorization. The TACACS+ server authorizes each command and its arguments for the user. If the user is not authorized to execute the command and the corresponding arguments, the command fails. If the command does not contain any arguments, then the command only is passed to the authorization server.

command

Enables per-command authorization. The TACACS+ server is contacted for each command and each command is authorized for the user. If the user is not authorized to execute the command, then the command fails. If the user is authorized for the command, the command is executed.

prompt

Enables per-command authorization, as described for the command option above. However, since commands may be duplicated in different CLI modes, this version of the command authorization also passes the command prompt string to the server. The TACACS+ server is contacted for each prompt and command and must have a matching string for the prompt/command combination. Enabling prompt authorization supersedes command authorization, since the prompt and command must be authorized together.

Example

authorization command 

Executes all show commands while in Configuration mode.

Exits the current configuration mode and returns to the Exec mode.

Exits the current mode and returns to the parent configuration mode.

Configures the idle session threshold available for TACACS+ sessions.

threshold number

Configures the idle sessions threshold value in minutes. If a session is idle, the CLI flags it as being in an idle state when it has been inactive for a specific amount of time. number specifies the idle-session threshold number in minutes. This setting must be an alphanumeric integer from 0 to 10 minutes. The default value is 5 minutes. 0 indicates that there is no idle session threshold for the user. When a CLI session has reached the threshold, then the session is in the idle state but it will not be in the idle state indefinitely.

user-id tacacs_userid

Identifies a valid TACACS+ user as an alphanumeric string of 1 through 144 characters.

default tacacs_userid

Configures the default number for idle sessions to 5 minutes.

Configures the maximum number of sessions available for a TACACS+ user.

number

Specifics the maximum number of simultaneous CLI sessions. It must be alphanumeric integer from 0 to 100. The default number is 100.

user-id tacacs_userid

Identifies a valid TACACS+ user as an alphanumeric string of 1 through 144 characters.

default

Configures the default number of simultaneous CLI sessions to 100.

Defines system behavior when an administrative login fails due to a TACACS+ authentication failure. This command also can be used to configure system behavior separately for TACACS+ authentication failures for administrative users accessing the system via the StarOS Console port.

continue

After a TACACS+ authentication failure, the system will continue with authentication using non-TACACS+ authentication services.

stop

After a TACACS+ authentication failure, the system forces the failed TACACS+ user to exit.

tty console

Example

Configures StarOS behavior when a TACACS+ login fails due to a network error. This command also can be used to configure system behavior separately for TACACS+ network error login failures for administrative users accessing the system via the Console port.

continue

The system will continue with authentication using non-TACACS+ authentication services.

stop

The system forces the failed TACACS+ user to exit.

tty console

Example

on-network-error stop 

Configures StarOS behavior when a TACACS+ server cannot authenticate a given user name. This command also can be used to configure system behavior separately for TACACS+ unknown user login failures for administrative users accessing the system via the StarOS console port.

continue

The system will continue with authentication using non-TACACS+ authentication services.

stop

The system forces the failed TACACS+ user to exit.

tty console

Example

on-unknown-user stop 

Configures authorized StarOS privileges for a specified TACACS+ privilege level.

lvl_number

Specifies the TACACS+ privilege level with which StarOS authorizations will be associated. as an integer from 1 through 15.

authorization-level { administrator | inspector | operator | security-admin }

For detailed information about StarOS administration levels, refer to the System Settings chapter of the System Administration Guide.

[ cli | ecs | ftp | li-administration | nocli | noecs | noftp | nocli-administration ]

Sends a remote client IPv4 address field in the TACACS+ protocol for use by a Cisco Secure ACS server.

default

Disables the sending of a remote client IP address field to a Cisco Secure ACS server for a TACACS+ login request.

no

Disables the sending of a remote client IP address field to a Cisco Secure ACS server for a TACACS+ login request.

Configures TACACS+ AAA service-related parameters for use in authenticating StarOS administrative users via a TACACS+ server.

no

Removes a specified server (by priority number) from the TACACS+ server list.

priority priority_number

Specifies the order in which TACACS+ servers are to be tried. The priority number corresponds to a configured TACACS+ server.

For releases prior to 18.2, priority_number can be an integer from 1 (highest priority) to 3 (lowest priority).

For releases 18.2+, priority_number can be an integer from 1 (highest priority) to 4 (lowest priority).

If no server with priority 1 is specified, the next highest priority is used. If the specified priority matches that of a TACACS+ server already configured, any previously defined server configuration parameter(s) for that priority are returned to the default setting(s).

ip-address

Specifies the IP address of the TACACS+ server in IPv4 or IPv6 dotted-decimal notation. Only one IP address can be defined for a given server priority

encrypted password shared_secret

Specifies the encrypted value of the shared secret key. The server-side configuration must match the decrypted value for the protocol to work correctly. If encrypted password is specified, specifying password is invalid. No encryption is used if this value is null (""). The encrypted password can be an alphanumeric string of 1 through 100 characters. If neither an encrypted password or password is specified, StarOS will not use encryption

key text_password

Release 11.0 systems only. Instead of using an encrypted password value, the user can specify a plain-text key value for the password. If the key keyword is specified, then specifying encrypted password is invalid. A null string represents no encryption. The password can be from 1 to 32 alphanumeric characters in length. If neither an encrypted password or key is specified, then StarOS will not use encryption.

nas-source-address ip_address

Release 12 and later systems only: Sets the IPv4 or IPv6 address to be specified in the Source Address of the IP header in the TACACS+ protocol packet sent from the NAS to the TACACS+ server. ip_address is entered using IPv4 dotted-decimal notation and must be valid for the interface.

password text_password

Release 12.0 and later systems. Instead of using an encrypted password value, the user can specify a plain-text value for the password. If the password keyword is specified, specifying encrypted password is invalid. A null string ("") represents no encryption. The password can be an alphanumeric string of 1 through 32 characters. If neither an encrypted password or password is specified, then StarOS will not use encryption.

port port_number

Specifies the TCP port number to use for communication with the TACACS+ server. port_number can be an integer from 1 through 65535. If a port is not specified, StarOS will use port 49.

retries number

Release 12 and later systems only: Specifies the number of retry attempts at establishing a connection to the TACACS+ server if the initial attempt fails. retries number can be an integer from 0 through 100. The default is 3. Specifying 0 (zero) retries results in StarOS trying only once to establish a connection. No further retries will be attempted.

service { accounting | authentication | authorization }

Release 12 and later systems only: Specifies one or more of the AAA services that the specified TACACS+ server will provide. Use of the service keyword requires that at lease one of the available services be specified. If the service keyword is not used, StarOS will use the TACACS+ server for all AAA service types. The default is to use authentication, authorization and accounting. Available service types are:

• accounting : The specified TACACS+ server should be used for accounting. If TACACS+ authentication is not used, TACACS+ accounting will not be used. If no accounting server is specified and the user is authenticated, no accounting will be performed for the user.

• authentication : The specified TACACS+ server should be used for authentication. If a TACACS+ authentication server is not available, TACACS+ will not be used for authorization or accounting.

• authorization : The specified TACACS+ server should be used for authorization. If TACACS+ authentication is not used, TACACS+ authorization will not be used. If no authorization server is specified and the user is authenticated, the user will remain logged in with minimum privileges (Inspector level).

timeout seconds

Specifies the number of seconds to wait for a connection timeout from the TACACS+ server. seconds can be an integer from 1 through 1000. If no timeout is specified, StarOS0 will use the default value of 10 seconds.

Example

server priority 2 ip-address 192.156.1.1 authentication 

Configures additional profile attributes for a specific TACACS+ user identifier.

user-id tacacs_userid

Identifies a valid TACACS+ user as an alphanumeric string of 1 through 144 characters.

[ li-admin | noli-admin ]

Grants or denies access to Lawful Intercept (LI) configuration commands.

default

Configures default profile attributes for a specific TACACS+ user identifier.