About TACACS+ Servers for AAA
The ASA supports TACACS+ server authentication with the following protocols: ASCII, PAP, CHAP, and MS-CHAPv1.
TACACS+ Attributes
The ASA provides support for TACACS+ attributes. TACACS+ attributes separate the functions of authentication, authorization, and accounting. The protocol supports two types of attributes: mandatory and optional. Both the server and client must understand a mandatory attribute, and the mandatory attribute must be applied to the user. An optional attribute may or may not be understood or used.
Note |
To use TACACS+ attributes, make sure that you have enabled AAA services on the NAS. |
The following table lists supported TACACS+ authorization response attributes for cut-through-proxy connections.
Attribute |
Description |
---|---|
acl |
Identifies a locally configured ACL to be applied to the connection. |
idletime |
Indicates the amount of inactivity in minutes that is allowed before the authenticated user session is terminated. |
timeout |
Specifies the absolute amount of time in minutes that authentication credentials remain active before the authenticated user session is terminated. |
The following table lists supported TACACS+ accounting attributes.
.
Attribute |
Description |
---|---|
bytes_in |
Specifies the number of input bytes transferred during this connection (stop records only). |
bytes_out |
Specifies the number of output bytes transferred during this connection (stop records only). |
cmd |
Defines the command executed (command accounting only). |
disc-cause |
Indicates the numeric code that identifies the reason for disconnecting (stop records only). |
elapsed_time |
Defines the elapsed time in seconds for the connection (stop records only). |
foreign_ip |
Specifies the IP address of the client for tunnel connections. Defines the address on the lowest security interface for cut-through-proxy connections. |
local_ip |
Specifies the IP address that the client connected to for tunnel connections. Defines the address on the highest security interface for cut-through-proxy connections. |
NAS port |
Contains a session ID for the connection. |
packs_in |
Specifies the number of input packets transferred during this connection. |
packs_out |
Specifies the number of output packets transferred during this connection. |
priv-level |
Set to the user privilege level for command accounting requests or to 1 otherwise. |
rem_iddr |
Indicates the IP address of the client. |
service |
Specifies the service used. Always set to “shell” for command accounting only. |
task_id |
Specifies a unique task ID for the accounting transaction. |
username |
Indicates the name of the user. |