TACAS+ “Command Authorization” feature increases flexibility and security allowing the definition of commands that each network manager can or cannot run. This advantage alone is worth the implementation of TACACS+ architecture on mid-size and small networks too; as soon as more than one person shall be granted access to devices command facilities.
TACACS+ is a standard protocol originally defined by the US Department of Defense and implemented by the major networking vendors like Allied Telesis. Therefore it can be successfully deployed and used in a multivendor network.
Let’s see how “Command Authorization” works. It is sufficient to run the commandaaa authorization commandson Allied Telesis network devices running AlliedWare Plus, for making devices encrypt and send every command to the configured TACACS+ server (or servers) before actually executing them.The TACACS+ server decides if the user is authorized to execute the command and returns the decision to the AlliedWare Plus device, which will then either execute the command or notify the user that he/she is not authorized.By default, TACACS+ authorization applies to commands issued in exec mode only however the commandaaa authorization config-commandsforces the network device to send TACACS+ server also configuration mode commands for control.Multiple TACACS+ servers can be configured for redundancy and, in addition, a local fall-back authorization database can be defined for being used in case all the TACACS+ servers become unreachable. In such an event, commands are authorized based on the user’s privilege level; the same behavior as if command authorization had not been configured. If a local fallback is not enabled and all configured TACACS+ servers become unreachable, all commands will be denied, except logout, exit, and quit.Want to know more? Read the full guide TACACS+ Feature Overview and Configuration Guide on the Allied Telesis online Resource Library
Be sure that your AlliedWare Plus network devices are loaded with release 5.4.6-2.x or
newer.This is another reason for keeping your entire network covered with our Net.Cover maintenance plans. In case of doubt please contact us for a free check of the maintenance status of your network. Go to http://www.alliedtelesis.com/contact for the closest office.