Command Authorization and Logging

EX2500 Ethernet Switch Configuration Guide

NOTE: When you are using the EX2500 Web Device Manager, the TACACS+ Accounting Stop records are sent only if the Logout button on the browser is clicked.

When TACACS+ Command Authorization is enabled, EX2500 configuration commands are sent to the TACACS+ server for authorization. Use the following command to enable TACACS+ Command Authorization:

ex2500(config)# tacacs-server command-authorization

When TACACS+ Command Logging is enabled, EX2500 configuration commands are logged on the TACACS+ server. Use the following command to enable TACACS+ Command Logging:

ex2500(config)# tacacs-server command-logging

The following examples illustrate the format of EX2500 commands sent to the

TACACS+ server:

authorization request, cmd=shell, cmd-arg=interface ip accounting request, cmd=shell, cmd-arg=interface ip authorization request, cmd=shell, cmd-arg=enable accounting request, cmd=shell, cmd-arg=enable

Configuring TACACS+ Authentication on the Switch

1.Configure the Primary and Secondary TACACS+ servers, and enable TACACS authentication.

ex2500(config)# tacacs-server primary-host 10.10.1.1 ex2500(config)# tacacs-server secondary-host 10.10.1.2 ex2500(config)# tacacs-server enable

2.Configure the TACACS+ secret and second secret.

ex2500(config)# tacacs-serverprimary-host 10.10.1.1 key <1-32 character secret>

ex2500(config)# tacacs-serversecondary-host 10.10.1.2 key <1-32 character secret>

3.If desired, you may change the default TCP port number used to listen to TACACS+. The well-known port for TACACS+ is 49.

ex2500(config)# tacacs-server port <TCP port number>

4.Configure the number of retry attempts and the timeout period.

ex2500(config)# tacacs-server retransmit 3 ex2500(config)# tacacs-server timeout 5

16 Securing Access to the Switch

Juniper Networks EX2500 manual Command Authorization and Logging

Models: EX2500