Overview
TACACS AAA systems are used as a single point of management to configuring and store user accounts. They are often coupled with directories and management repositories, simplifying the set up and maintenance of the end-user accounts.
In the authorization function of the AAA system, network devices with Authentication Services can provide fine-grained control over user capabilities for the duration of the user’s session, for example setting access control or session duration. Enforcement of restrictions to a user account can limit available commands and levels of access.
TACACS+ authentication provides a central server in which you can allow or deny access to switches and other TACACS-aware devices in your network. TACACS employs a central database which creates multiple unique user name and password sets with their associated privilege levels. This central database can be accessed by individuals via switch from either a console port or via Telnet.
-
remote passwords assigned in a TACACS+ server
-
local passwords configured on the switch.
A TACACS+ server is able to:
-
Configure login authentication for read/write or read-only privileges.
-
Manage the authentication of logon attempts by either the console port or via Telnet.
-
defaults to locally assigned passwords for authentication control in the event of a connection failure.
TACACS+ does not affect:
-
WebAgent access. See Controlling webagent access when using TACACS+ authentication.