Chapter 4 Configuring the CSS as a Client of a TACACS+ Server

Setting TACACS+ Authorization

Setting TACACS+ Authorization

TACACS+ authorization allows the TACACS+ server to control specific CSS commands that the user can execute. CSS authorization divides the command set into two categories:

Configuration commands that change the CSS running configuration. For example, all commands in global configuration mode. For a complete list of global configuration mode commands, refer to the Cisco Content Services Switch Command Reference.

Nonconfiguration commands that do not change the running configuration. These commands include, but are not limited to, mode transition, show, and administrative commands. For example, cls (clear screen), endbranch, help, ping, show, terminal, traceroute, and so on. For a complete list of nonconfiguration commands, refer to the Cisco Content Services Switch Command Reference.

Note When you configure TACACS+ on a CSS, the CSS does not authorize scripts through the TACACS+ server. Because the CSS transforms all XML commands into scripts, the CSS also does not authorize XML commands through the TACACS+ server.

By default, authorization is disabled. When authorization is enabled, the TACACS+ server is responsible for granting permission or denying all attempts to issue commands.

When you enable authorization, the exchange between the TACACS+ server and the CSS causes a delay in executing the command. Failure of the TACACS+ server results in the failure of all authorization requests and the suspension of user activity unless another server is reachable. To enable users to execute commands in this case, configure a failover authentication method to a local user database. Users must log back in to the CSS.

 

 

Cisco Content Services Switch Security Configuration Guide

 

 

 

 

 

 

OL-5650-02

 

 

4-11

 

 

 

Page 93
Image 93
Cisco Systems OL-5650-02 manual Setting TACACS+ Authorization