Configuring Security with CLI

This section provides information to configure security using the command line interface. Topics in this section include:

Setting Up Security Attributes

Table 3 depicts the capabilities of authentication, authorization, and accounting configurations. For example, authentication can be enabled locally and on RADIUS and TACACS+ servers. Authorization can be executed locally, on a RADIUS server, or on a TACACS+ server. Accounting can be performed on a RADIUS or TACACS+ server.

Table 3:  Security Configuration Requirements  

Authentication

Authorization

Accounting

Local

Local

None

RADIUS

Local and RADIUS

RADIUS

TACACS+

Local and TACACS+

TACACS+

Configuring Authentication

Refer to the following sections to configure authentication:

  1. Local authentication
  2. RADIUS authentication (with local authorization)
    By default, authentication is enabled locally. Perform the following tasks to configure security on each participating 7705 SAR router:
  3. RADIUS authentication (with RADIUS authorization)
    To implement RADIUS authentication with authorization, perform the following tasks on each participating 7705 SAR router:
  4. TACACS+ authentication
    To implement TACACS+ authentication, perform the following tasks on each participating 7705 SAR router:

Configuring Authorization

Refer to the following sections to configure authorization:

  1. Local authorization
    For local authorization, configure these tasks on each participating 7705 SAR router:
  2. RADIUS authorization with authentication
    For RADIUS authorization with authentication, configure these tasks on each participating 7705 SAR router:
    1. For RADIUS authorization, VSAs must be configured on the RADIUS server. See Vendor-Specific Attributes (VSAs).
  3. TACACS+ authorization (only)
    For TACACS+ authorization without authentication, configure these tasks on each participating 7705 SAR router:
  4. TACACS+ authorization
    For TACACS+ authorization with authentication, configure these tasks on each participating 7705 SAR router:

Configuring Accounting

Refer to the following sections to configure accounting.

  1. Local accounting is not implemented. For information about configuring accounting policies, refer to Configuring Logging with CLI.

Security Configurations

This section provides information on configuring security and examples of configuration tasks.

To implement security features, configure the following components:

  1. management access filters
  2. CPM (CSM) filters
  3. profiles
  4. user access parameters
  5. password management parameters
  6. RADIUS and/or TACACS+
    1. enable one to five RADIUS and/or TACACS+ servers
    2. configure RADIUS and/or TACACS+ parameters

The following example displays default values for security parameters.

ALU-1>config>system>security# info detail
----------------------------------------------
  management-access-filter
        ip-filter
        default-action permit
            entry 1
                 action permit
                 src-ip 10.10.10.xx/32
            exit
            entry 2
                 action permit
                 src-ip 10.10.0.xx/32
            exit
        exit
  cpm-filter
        ip-filter
            shutdown
            entry 2 create
                 action drop
            exit
        exit
  profile "default"
        default-action none
        entry 10
            no description
            match "exec"
            action permit
        exit
...
        entry 70
            no description
            match "show"
            action permit
        exit
  exit
  profile "administrative"
        default-action permit-all
        entry 10
            no description
            match "configure system security"
            action permit
        exit
...
  password
        authentication-order radius tacplus local
        no aging
        minimum-length 6
        attempts 3 time 5 lockout 10
        complexity
  exit
  user "admin"
        password "./3kQWERTYn0Q6w" hash
        access console
  no home-directory
  no restricted-to-home
        console
            no login-exec
            no cannot-change-password
            no new-password-at-login
            member "administrative"
        exit
  exit
  snmp
        view iso subtree 1
            mask ff type included
        exit
...    
access group snmp-ro security-model snmpv1 security-level no-auth-no-
privacy read no-security notify no-security
access group snmp-ro security-model snmpv2c security-level no-auth-no-
privacy read no-security notify no-security
access group snmp-rw security-model snmpv1 security-level no-auth-no-
privacy read no-security write no-security notify no-security
access group snmp-rw security-model snmpv2c security-level no-auth-no-
privacy read no-security write no-security notify no-security
access group snmp-rwa security-model snmpv1 security-level no-auth-no-
privacy read iso write iso notify iso
access group snmp-rwa security-model snmpv2c security-level no auth-no-
privacy read iso write iso notify iso
access group snmp-trap security-model snmpv1 security-level no-auth-no-
privacy notify iso
access group snmp-trap security-model snmpv2c security-level no-auth-no-
privacy notify iso
access group cli-readonly security-model snmpv2c security-level
no-auth-no-privacy read iso notify iso
access group cli-readwrite security-model snmpv2c security-level
no-auth-no-privacy read iso write iso notify iso
       attempts 20 time 5 lockout 10
    exit
    no ssh
    exit

Security Configuration Procedures

Configuring IPv4 or IPv6 Management Access Filters

Creating and implementing management access filters is optional. Management access filters control all traffic going in to the CSM, including all routing protocols. They apply to packets from all ports. The filters can be used to restrict management of the 7705 SAR router by other nodes outside either specific (sub)networks or through designated ports. By default, there are no filters associated with security options. The management access filter and entries must be explicitly created on each router.

Management access filters apply to the management Ethernet port, which supports both IPv4 and IPv6 filters.

The 7705 SAR exits the filter when the first match is found and executes the actions according to the specified action. For this reason, entries must be sequenced correctly from most to least explicit.

An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action to be considered complete. Entries without the action keyword are considered incomplete and will be rendered inactive.

Use the following CLI commands to configure an IPv4 management access filter.

CLI Syntax:
config>system
security
management-access-filter
ip-filter
default-action {permit | deny | deny-host-unreachable}
entry entry-id
action {permit | deny | deny-host-unreachable}
description description-string
dst-port port [mask]
log
protocol protocol-id
router router-instance
src-ip {ip-prefix/mask | ip-prefix netmask}
src-port {port-id | cpm}
renum old-entry-number new-entry-number
no shutdown

Use the following CLI commands to configure an IPv6 management access filter.

CLI Syntax:
config>system
security
management-access-filter
ipv6-filter
default-action {permit | deny | deny-host-unreachable}
entry entry-id
action {permit | deny | deny-host-unreachable}
description description-string
dst-port port [mask]
flow-label value
log
next-header next-header
router router-instance
src-ip ipv6-address/prefix-length
src-port {port-id | cpm}
renum old-entry-number new-entry-number
no shutdown

The following example displays an IPv4 management access filter configuration. This example only accepts packets matching the criteria specified in entries 1 and 2. Non-matching packets are denied.

Example:
config>system>security# management-access-filter
config>system>security>mgmt-access-filter# ip-filter default-action deny
config>system>security>mgmt-access-filter# ip-filter entry 1
config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 10.10.10.104/32
config>system>security>mgmt-access-filter>ip-filter>entry# action permit
config>system>security>mgmt-access-filter>ip-filter>entry# exit
config>system>security>mgmt-access-filter# entry 2
config>system>security>mgmt-access-filter>ip-filter>entry# src-ip 10.10.10.1/32
config>system>security>mgmt-access-filter>ip-filter>entry# action permit
config>system>security>mgmt-access-filter>ip-filter>entry# exit

The following example displays the management access filter configuration.

ALU-1>config>system>security# info
----------------------------------------------
            management-access-filter
                ip-filter
                default-action deny
                entry 1
                    action permit
                    src-ip 10.10.10.104/32
                exit
                entry 2
                    action permit
                    src-ip 10.10.0.1/32
                exit
            exit
----------------------------------------------
ALU-1>config>system>security#
Note:

If configuring management access filters via a Telnet session, ensure that data from the host IP address is permitted before setting the default action to deny; otherwise, the session will be dropped. To do this, set the default action to permit, configure an entry with the src-ip address of the host as a permitted match criterion, then set the default action back to deny. Alternatively, use a direct console connection to the node for configuration; in this case, the order of filter configuration does not matter.

Configuring IPv4 or IPv6 CPM (CSM) Filters

CPM filters control all traffic going in to the CSM, including all routing protocols. They apply to packets from all network and access ports, but not to packets from a management Ethernet port. CPM packet filtering is performed by network processor hardware using no resources on the main CPUs.

Use the following CLI commands to configure an IPv4 CPM filter.

CLI Syntax:
config>system>security
cpm-filter
default-action {accept | drop}
ip-filter
entry entry-id [create]
action {accept | drop}
description description-string
log log-id
match [protocol protocol-id]
dscp dscp-name
dst-ip {ip-address/mask|ip-address netmask}
dst-port [tcp/udp port-number] [mask]
fragment {true | false}
icmp-code icmp-code
icmp-type icmp-type
ip-option ip-option-value [ip-option-mask]
multiple-option {true | false}
option-present {true | false}
src-ip {ip-address/mask|ip-address netmask}
src-port src-port-number [mask]
tcp-ack {true | false}
tcp-syn {true | false}
   renum old-entry-id new-entry-id

Use the following CLI commands to configure an IPv6 CPM filter.

CLI Syntax:
config>system>security
cpm-filter
default-action {accept | drop}
ipv6-filter
entry entry-id [create]
action {accept | drop}
description description-string
log log-id
match [next-header next-header]
dscp dscp-name
dst-ip ipv6-address/prefix-length
dst-port [tcp/udp port-number] [mask]
icmp-code icmp-code
icmp-type icmp-type
src-ip ipv6-address/prefix-length
src-port src-port-number [mask]
tcp-ack {true | false}
tcp-syn {true | false}
    renum old-entry-id new-entry-id

The following displays an IPv4 CPM filter configuration example:

A:ALU-49>config>sys>sec>cpm>ip-filter# info
----------------------------------------------
                    entry 10 create
                        action drop
                        description "CPM-Filter 10.4.101.2 #101"
                        log 101
                    exit
                    entry 20 create
                        no action
                        description "CPM-Filter 10.4.101.2 #201"
                        log 101
                    exit
                    no shutdown
----------------------------------------------
A:ALU-49>config>sys>sec>cpm>ip-filter#

Configuring Password Management Parameters

Configuring password management parameters consists of defining aging, the authentication order and authentication methods, password length and complexity, as well as the number of attempts a user can make to enter a password.

Depending on the authentication requirements, password parameters are configured locally or on the RADIUS or TACACS+ server.

Use the following CLI commands to configure password support:

CLI Syntax:
config>system>security
password
admin-password password [hash | hash2]
aging days
attempts count [time minutes1] [lockout minutes2]
authentication-order [method-1] [method-2] [method-3] [exit-on-reject]
complexity [numeric] [special-character] [mixed-case]
health-check
minimum-length value

The following displays an example of the password command usage.

Example:
config>system>security#password
security>password# aging 365
security>password# minimum-length 8
security>password# attempts 5 time 5 lockout 20
security>password# authentication-order radius tacplus
local

The following example displays the password configuration:

ALU-1>config>system>security# info
----------------------------------------------
    password
    authentication-order radius tacplus local
        aging 365
        minimum-length 8
        attempts 5 time 5 lockout 20
    exit
----------------------------------------------
ALU-1>config>system>security#

Configuring Profiles

Profiles are used to deny or permit access to a hierarchical branch or specific commands. Profiles are referenced in a user configuration. A maximum of 16 user profiles can be defined. A user can participate in up to 16 profiles. Depending on the authorization requirements, passwords are configured locally or on the RADIUS server.

Use the following CLI commands to configure user profiles:

CLI Syntax:
config>system>security
profile user-profile-name
default-action {deny-all | permit-all | none}
renum old-entry-number new-entry-number
entry entry-id
description description-string
match command-string
action {permit | deny}

The following displays an example of the user profile command usage.

Example:
config>system>security# profile ghost
config>system>security>profile$ default-action permit-all
config>system>security>profile# entry 1
config>system>security>profile>entry$ action permit
config>system>security>profile>entry# match "configure"
config>system>security>profile>entry# exit
config>system>security>profile# entry 2
config>system>security>profile>entry$ match "show"
config>system>security>profile>entry# exit
config>system>security>profile# entry 3
config>system>security>profile>entry$ match "exit"

The following example displays the user profile output:

ALU-1>config>system>security# info
----------------------------------------------
...
            profile "ghost"
                default-action permit-all
                entry 1
                    match "configure"
                    action permit
                exit
                entry 2
                    match "show"
                exit
                entry 3
                    match "exit"
                exit
...
----------------------------------------------
ALU-1>config>system>security#

Configuring Users

Access parameters are configured for individual users. For each user, the login name and, optionally, information that identifies the user is defined. Use the following CLI commands to configure access parameters for users:

CLI Syntax:
config>system>security
user-template template-name
user user-name
access [ftp] [snmp] [console]
console
cannot-change-password
login-exec url-prefix:source-url
member user-profile-name [user-profile-name...(up to 8 max)]
new-password-at-login
home-directory url-prefix [directory] [directory/directory ..]
password [password] [hash | hash2]
restricted-to-home
snmp
authentication {[none] | [[hash] {md5 key-1 | sha key-1} privacy {none | des-key key-2}]}
group group-name

The following displays an example of the command usage.

Example:
config>system>security
config>system>security# user 49ers
config>system>security>user$ access ftp snmp console
config>system>security>user$ console
config>system>security>user>console# member default ghost
config>system>security>user>console# new-password-at-login
config>system>security>user>console# exit
config>system>security>user# password testuser1
config>system>security>user# restricted-to-home
config>system>security>user# exit

The following example displays the user configuration:

ALU-1>config>system>security# info
----------------------------------------------
...
            user "49ers"
                password "qQbnuzLd7H/VxGdUqdh7bE" hash2
                access console ftp snmp
                restricted-to-home
                console
                    member "default"
                    member "ghost"
                exit
            exit
...
--------------------------------------------
ALU-1>config>system>security#

Copying and Overwriting Users and Profiles

You can copy a profile or user or overwrite an existing profile or user. The overwrite option must be specified; otherwise, an error occurs if the destination profile or user name already exists.

Copying a User

CLI Syntax:
config>system>security# copy {user source-user | profile source-profile} to destination [overwrite]
Example:
config>system>security# copy user "testuser" to
"testuserA"
MINOR: CLI User "testuserA" already exists - use overwrite flag.
config>system>security#
config>system>security# copy user "testuser" to "testuserA" overwrite
config>system>security#

The following output displays the copied user configurations:

ALU-12>config>system>security# info
----------------------------------------------
...
            user "testuser"
                password "F6XjryaATzM" hash
                access snmp
                snmp
                    authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy
 none
                    group "testgroup"
                exit
            exit
            user "testuserA"
                password "" hash2
                access snmp
                console
                    new-password-at-login
                exit
                snmp
                    authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy
 none
                    group "testgroup"
                exit
            exit
...
----------------------------------------------
ALU-12>config>system>security# info
Note:

The cannot-change-password flag is not replicated when a copy user command is performed. A new-password-at-login flag is created instead.

ALU-12>config>system>security>user# info
----------------------------------------------
    password "F6XjryaATzM" hash
    access snmp
    console
        cannot-change-password 
    exit
    snmp
        authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
        group "testgroup"
    exit
----------------------------------------------
ALU-12>config>system>security>user# exit
ALU-12>config>system>security# user testuserA
ALU-12>config>system>security>user# info
----------------------------------------------
    password "" hash2
    access snmp
    console
        new-password-at-login
    exit
    snmp
        authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none
        group "testgroup"
    exit
----------------------------------------------
ALU-12>config>system>security>user#

Copying a Profile

CLI Syntax:
config>system>security# copy {user source-user | profile source-profile} to destination [overwrite]
Example:
config>system>security# copy profile default to testuser

The following output displays the copied profiles:

A:ALU-49>config>system>security# info
----------------------------------------------
...
A:ALU-49>config>system>security# info detail
----------------------------------------------
...
            profile "default"
                default-action none
                entry 10
                    no description
                    match "exec"
                    action permit
                exit
                entry 20
                    no description
                    match "exit"
                    action permit
                exit
                entry 30
                    no description
                    match "help"
                    action permit
                exit
                entry 40
                    no description
                    match "logout"
                    action permit
                exit
                entry 50
                    no description
                    match "password"
                    action permit
                exit
                entry 60
                    no description
                    match "show config"
                    action deny
                exit
                entry 70
                    no description
                    match "show"
                    action permit
                exit
                entry 80
                    no description
                    match "enable-admin"
                    action permit
                exit
            exit
            profile "testuser"
                default-action none
                entry 10
                    no description
                    match "exec"
                    action permit
                exit
                entry 20
                    no description
                    match "exit"
                    action permit
                exit
                entry 30
                    no description
                    match "help"
                    action permit
                exit
                entry 40
                    no description
                    match "logout"
                    action permit
                exit
                entry 50
                    no description
                    match "password"
                    action permit
                exit
                entry 60
                    no description
                    match "show config"
                    action deny
                exit
                entry 70
                    no description
                    match "show"
                    action permit
                exit
                entry 80
                    no description
                    match "enable-admin"
                    action permit
                exit
            exit
            profile "administrative"
                default-action permit-all exit
...

Configuring SSH

Use the SSH command to configure the SSH server as SSH1, SSH2 or both. The default is SSH2. This command should only be enabled or disabled when the SSH server is disabled. This setting cannot be changed while the SSH server is running.

CLI Syntax:
config>system>security
ssh
preserve-key
no server-shutdown
version ssh-version
Example:
config>system>security# ssh
config>system>security>ssh# preserve-key
config>system>security>ssh# version 1-2

The following example displays the SSH server configuration as both SSH1 and SSH2 using a host-key:

A:ALU-1>config>system>security>ssh# info
----------------------------------------------
                preserve-key
                version 1-2
----------------------------------------------
A:ALU-1>config>system>security>ssh# 

Configuring Login Controls

Use the login-control context to configure parameters for console, Telnet, and FTP sessions.

CLI Syntax:
config>system
login-control
exponential-backoff
ftp
inbound-max-sessions value
telnet
inbound-max-sessions value
outbound-max-sessions value
idle-timeout {minutes | disable}
pre-login-message login-text-string [name]
login-banner
motd {url url-prefix:source-url | text motd-text-string}

The following example displays the login control configuration:

Example:
config>system>login-control# ftp inbound-max-sessions 5
config>system>login-control# telnet inbound-max-sessions 7
config>system>login-control# telnet outbound-max-sessions 2
config>system>login-control# idle-timeout 1440
config>system>login-control# pre-login-message "Property of Service Routing Inc. Unauthorized access prohibited."
config>system>login-control# motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM"

The following example displays the login control configuration:

ALU-1>config>system# info
----------------------------------------------
...
       login-control
           ftp
               inbound-max-sessions 5
           exit
           telnet
               inbound-max-sessions 7
               outbound-max-sessions 2
           exit
           idle-timeout 1440
           pre-login-
message "Property of Service Routing Inc. Unauthorized access prohibited."
           motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM"
       exit
     no exponential-backoff
...
----------------------------------------------
ALU-1>config>system#

RADIUS Configurations

Configuring RADIUS Authentication

RADIUS is disabled by default and must be explicitly enabled. The mandatory commands to enable RADIUS on the local router are radius and server server-index address ip-address secret key. The server command adds a RADIUS server and configures the RADIUS server’s IP address, index, and key values. The index determines the sequence in which the servers are queried for authentication requests.

Also, the system IP address must be configured in order for the RADIUS client to work. See “Configuring a System Interface” in the 7705 SAR OS Router Configuration Guide.

The other commands are optional.

On the local router, use the following CLI commands to configure RADIUS authentication:

CLI Syntax:
config>system>security
radius
port port
retry count
server server-index address ip-address secret key [hash1 | hash2]
timeout seconds
no shutdown

The following example displays the CLI syntax usage:

Example:
config>system>security>
security# radius
security# no shutdown
security>radius# server 1 address A:A:A:A:A:A:A:1 secret test11
security>radius# server 2 address 10.10.0.1 secret test2
security>radius# server 3 address 10.10.0.2 secret test3
security>radius# server 4 address 10.10.0.3 secret test4
security>radius# retry 5
security>radius# timeout 5
config>system>security>radius# exit

The following example displays the RADIUS authentication configuration:

ALU-1>config>system>security# info
----------------------------------------------
                retry 5
                timeout 5
                server 1 address A:A:A:A:A:A:A:1 secret "test1"
                server 2 address 10.10.0.1 secret "test2"
                server 3 address 10.10.0.2 secret "test3"
                server 4 address 10.10.0.3 secret "test4"
...
----------------------------------------
ALU-1>config>system>security#

Configuring RADIUS Authorization

In order for RADIUS authorization to function, RADIUS authentication must be enabled first. See Configuring RADIUS Authentication.

In addition to the local configuration requirements, VSAs must be configured on the RADIUS server. See Vendor-Specific Attributes (VSAs).

On the local router, use the following CLI commands to configure RADIUS authorization:

CLI Syntax:
config>system>security
radius
authorization

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# radius
config>system>security>radius# authorization

The following example displays the RADIUS authorization configuration:

ALU-1>config>system>security# info
----------------------------------------------
...
            radius
                authorization
                retry 5
                timeout 5
                server 1 address 10.10.10.103 secret "test1"
                server 2 address 10.10.0.1 secret "test2"
                server 3 address 10.10.0.2 secret "test3"
                server 4 address 10.10.0.3 secret "test4"
            exit
...
----------------------------------------------

Configuring RADIUS Accounting

On the local router, use the following CLI commands to configure RADIUS accounting:

CLI Syntax:
config>system>security
radius
accounting

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# radius
config>system>security>radius# accounting

The following example displays the RADIUS accounting configuration:

ALU-1>config>system>security# info
----------------------------------------------
...
           radius
               shutdown
               authorization
               accounting
               retry 5
               timeout 5
               server 1 address 10.10.10.103 secret "test1"
               server 2 address 10.10.0.1 secret "test2"
               server 3 address 10.10.0.2 secret "test3"
               server 4 address 10.10.0.3 secret "test4"
           exit
...
----------------------------------------------
ALU-1>config>system>security#

Configuring 802.1x RADIUS Policies

Use the following CLI commands to configure generic authentication parameters for clients using 802.1x EAPOL. Additional parameters are configured on Ethernet ports. Refer to the 7705 SAR OS Interface Configuration Guide, “Card, Adapter Card, and Port Command Reference”, for more information on configuring 802.1x parameters on Ethernet ports.

To configure generic parameters for 802.1x authentication, enter the following CLI syntax:

CLI Syntax:
config>system>security
dot1x
radius-plcy name [create]
retry count
server server-index address ip-address secret key [hash | hash2] [auth-port auth-port] [acct-port acct-port] [type server-type]
no shutdown
source-address ip-address
timeout seconds
no shutdown

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# dot1x
config>system>security>dot1x# radius-plcy dot1x_plcy
create
config>system>security>dot1x>radius-plcy# server 1 address 1.1.1.1 secret abc auth-port 65000
config>system>security>dot1x>radius-plcy# server 2 address 1.1.1.3 secret xyz auth-port 862
config>system>security>dot1x>radius-plcy# source-address 1.1.1.255

The following example displays an 802.1x configuration:

*A:7705_custDoc>config>system>security>dot1x# info
----------------------------------------------
       radius-plcy "dot1x_plcy" create
           server 1 address 1.1.1.1 auth-port 65000 acct-
port 1813 secret "WDoQz6DJf4.0M5dlpwjHbk" hash2 type authorization
           server 2 address 1.1.1.3 auth-port 862 acct-port 1813 secret
 "WDoQz6DJf4.j1WcCeHZwz." hash2 type authorization
           source-address 1.1.1.255
           shutdown
       exit
...
----------------------------------------------
A:ALU-1>config>system#

TACACS+ Configurations

Enabling TACACS+ Authentication

To use TACACS+ authentication on the router, configure one or more TACACS+ servers on the network.

Use the following CLI commands to configure TACACS+ authentication:

CLI Syntax:
config>system>security
tacplus
server server-index address ip-address secret key [hash1 | hash2]
single-connection
timeout seconds
no shutdown

The following example is configured in the config>system context:

Example:
security# tacplus
security>tacplus# server 1 address A:A:A:A:A:A:A:1 secret test1
security>tacplus# server 2 address 10.10.0.6 secret test2
security>tacplus# server 3 address 10.10.0.7 secret test3
security>tacplus# server 4 address 10.10.0.8 secret test4
security>tacplus# server 5 address 10.10.0.9 secret test5
config>system>security>tacplus# single-connection
config>system>security>tacplus# timeout 5
config>system>security>tacplus# no shutdown

The following example displays the TACACS+ authentication configuration:

ALU-1>config>system>security>tacplus# info
----------------------------------------------
                timeout 5
                single-connection
                server 1 address A:A:A:A:A:A:A:1 secret "h6.TeL7YPohbmhlvz0gob."    
             hash2
                server 2 address 10.10.0.6 secret "h6.TeL7YPog7WbLsR3QRd." hash2
                server 3 address 10.10.0.7 secret "h6.TeL7YPojGJqbYt85LVk" hash2
                server 4 address 10.10.0.8 secret "h6.TeL7YPoiCfWKUFHARvk" hash2
                server 5 address 10.10.0.9 secret "h6.TeL7YPojuCyTFvTNGBU" hash2

Configuring TACACS+ Authorization

In order for TACACS+ authorization to function, TACACS+ authentication must be enabled first. See Enabling TACACS+ Authentication.

On the local router, use the following CLI commands to configure TACACS+ authorization:

CLI Syntax:
config>system>security
tacplus
authorization
no shutdown

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# tacplus
config>system>security>tacplus# authorization
config>system>security>tacplus# no shutdown

The following example displays the TACACS+ authorization configuration:

ALU-1>config>system>security>tacplus# info
----------------------------------------------
                authorization
                timeout 5
                single-connection
                server 1 address 10.10.0.5 secret "h6.TeL7YPohbmhlvz0gob." hash2
                server 2 address 10.10.0.6 secret "h6.TeL7YPog7WbLsR3QRd." hash2
                server 3 address 10.10.0.7 secret "h6.TeL7YPojGJqbYt85LVk" hash2
                server 4 address 10.10.0.8 secret "h6.TeL7YPoiCfWKUFHARvk" hash2
                server 5 address 10.10.0.9 secret "h6.TeL7YPojuCyTFvTNGBU" hash2
----------------------------------------------
ALU-1>config>system>security>tacplus# 

Configuring TACACS+ Accounting

On the local router, use the following CLI commands to configure TACACS+ accounting:

CLI Syntax:
config>system>security
tacplus
accounting

The following example displays the CLI syntax usage:

Example:
config>system>security>
config>system>security# tacplus
config>system>security>tacplus# accounting

The following example displays the TACACS+ accounting configuration:

ALU-1>config>system>security>tacplus# info
----------------------------------------------
                accounting
                authorization
                timeout 5
                single-connection
                server 1 address 10.10.0.5 secret "h6.TeL7YPohbmhlvz0gob." hash2
                server 2 address 10.10.0.6 secret "h6.TeL7YPog7WbLsR3QRd." hash2
                server 3 address 10.10.0.7 secret "h6.TeL7YPojGJqbYt85LVk" hash2
                server 4 address 10.10.0.8 secret "h6.TeL7YPoiCfWKUFHARvk" hash2
                server 5 address 10.10.0.9 secret "h6.TeL7YPojuCyTFvTNGBU" hash2
----------------------------------------------
ALU-1>config>system>security>tacplus#