OcNOS-RON-6.3.1 : System Management Guide : System Management Configuration Guide : TACACS Client Configuration : TACACS Server Authorization
TACACS Server Authorization
Authorization is realized by mapping the authenticated users to one of the existing predefined roles as shown in Table 18-1.
The privilege information from the TACACS+ server is retrieved for the authenticated users and is mapped onto one of the roles as shown in Table 18-1.
Each authenticated user is mapped to one of the pre-defined privilege level.
Users with priv-level <=0 and priv-level > 15 are treated as read-only user mapped onto the pre-defined network-user role.
There is no command to enable authorization. Authorization functionality is enabled by default when remote authentication is enabled with TACACS+.
Authorization is “auto-enabled”. After successful authentication, a user can enter into privilege exec mode, irrespective of its privilege level and such user is not prompted with enable mode password, if configured. However based on their role, commands are rejected if not allowed to perform certain operations.
Example
A network-user has read-only access and can only execute show commands. A network-user cannot enter configuration mode. An error message is displayed upon executing any command which is not allowed.
#write
% Access restricted for user %
#configure terminal
% Access restricted for user %
The following attribute value pair in TACACS+ server is used to fetch user privilege information.
service = ppp protocol = ip {
priv-lvl = <0…15>
}
Sample TACACS+ Configuration File
#tacacs configuration file from “tac_plus version F4.0.3.alpha “
#set the key
 
key = "testing123"
accounting file = /var/log/tac_acc.log
 
#Read only user “test1”, without any priv-lvl, mapped to role “network-user”
user = test1 {
default service = permit
login = cleartext "12345"
}
 
#We can create a group of users mapped to a privilege
group = netadmin {
service = ppp protocol = ip {
priv-lvl = 15
}
}
 
#User “test2” with highest priv-lvl=15, mapped to role “network-admin”
user = test2 {
default service = permit
login = cleartext "12345"
member = netadmin
}
 
#User “test3” with priv-lvl= 1…13, mapped to role “network-operator”
user = test3 {
default service = permit
login = cleartext "12345"
service = ppp protocol = ip {
priv-lvl = 10
}
}
#User “test4” with priv-lvl=14, mapped to role “network-engineer” user = test4 {
default service = permit
login = cleartext "12345"
service = ppp protocol = ip {
priv-lvl = 14
}
}
 
Last modified date: 07-14-2023