74 BSGX4e Business Gateway User Guide
NN47928-102 Release 01.01
TACACS+ Activity Logs
TACACS+ client activity is reported in the system log. Log entries indicate whether
authentication attempts are successful or not.
To see the system log entries, enter the following command:
> show logging internal
The following display shows log entries for a failed TACACS+ authentication:
(I)22:16:24: User root is attempting to logon at THU FEB 08 22:16:24 2007
(I)22:16:24: Verify TACACS+ user root at THU FEB 08 22:16:24 2007
(I)22:16:24: User root cannot be found
(C)22:16:24: Cannot authenticate Tacacs+ user: root
(W)22:16:24: root INVALID LOGON at THU FEB 08 22:16:24 2007
TACACS+ Authentication
To provide additional security for user logins to the BSGX4e device, you can require
external authentication of user logins. When a login is externally authenticated, a
client in the device sends the login information to an external server for
authentication.
NOTE: When external authentication is used for a user account, the external
server defines the password required for logon using the account. The
password command can change the internal password stored for the
account, but this password is not used for authentication and so the
effective password is not changed.
One external authentication method uses the TACACS+ protocol to provide
authentication services. Normal operation fully encrypts the body of the packet for
secure communication. It uses TCP port 49.
The TACACS+ client in the BSGX4e device:
Is compatible with standard TACACS+ servers.
Maps TACACS+ authentication records to users by their user account name.
Can reference up to twenty TACACS+ authentication records.
Provides ASCII login authentication, enabling the BSGX4e to function as a Network
Access Server (NAS).
Configuration Requirements
For a user account to use TACACS+ authentication, the following requirements must
be met:
1. The authentication (auth) value for the user account must be TACACS+. (User
account configuration is described on page 61.)
2. The TACACS+ client must have an authentication record for the user account.
