Allied Telesis Support Portal

Increase Security and Flexibility with TACACS+

Can I add security to a TACACS+ Server?

Introduction

TACAS+ “Command Authorization” feature increases flexibility and security allowing the definition of commands that each network manager can or cannot run. This advantage alone is worth the implementation of TACACS+ architecture on mid-size and small networks; as soon as more than one person shall be granted access to devices command facilities.

TACACS+ is a standard protocol originally defined by the US Department of Defense and implemented by the major networking vendors like Allied Telesis. Therefore it can be successfully deployed and used in a multivendor network.
 

Command Authorization

It is sufficient to run the command "aaa authorization commands" on Allied Telesis network devices running AlliedWare Plus, for making devices encrypt and send every command to the configured TACACS+ server (or servers) before actually executing them.
The TACACS+ server decides if the user is authorized to execute the command and returns the decision to the AlliedWare Plus device, which will then either execute the command or notify the user that is not authorized.
 

Config-command Authorization

By default, TACACS+ authorization applies to commands issued in exec mode only, but with command
"aaa authorization config-commands" forces the network device to send TACACS+ server also configuration mode commands for control.
 

TACACS+ Redundancy

Multiple TACACS+ servers can be configured for redundancy and, in addition, a local fall-back authorization database can be defined for being used in case all the TACACS+ servers become unreachable. In such an event, commands are authorized based on the user’s privilege level; the same behavior as if command authorization had not been configured. If a local fallback is not enabled and all configured TACACS+ servers become unreachable, all commands will be denied, except logout, exit, and quit.

Want to know more? Read the full guide TACACS+ Feature Overview and Configuration Guide on the Allied Telesis online Resource Library
Be sure that your AlliedWare Plus network devices are loaded with release 5.4.6-2.x or newer.
This is another reason for keeping your entire network covered with our Net.Cover maintenance plans. In case of doubt please contact us for a free check of the maintenance status of your network. Go to http://www.alliedtelesis.com/contact for the closest office.