Filter
Top Products
4-11
Cisco Content Services Switch Security Configuration Guide
OL-5650-02
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server
Setting TACACS+ Authorization
Setting TACACS+ Authorization
TACACS+ authorization allows the TACACS+ server to control specific CSS
commands that the user can execute. CSS authorization divides the command set
into two categories:
• Configuration commands that change the CSS running configuration. For
example, all commands in global configuration mode. For a complete list of
global configuration mode commands, refer to the Cisco Content Services
Switch Command Reference.
• Nonconfiguration commands that do not change the running configuration.
These commands include, but are not limited to, mode transition, show, and
administrative commands. For example, cls (clear screen), endbranch, help,
ping, show, terminal, traceroute, and so on. For a complete list of
nonconfiguration commands, refer to the Cisco Content Services Switch
Command Reference.
Note When you configure TACACS+ on a CSS, the CSS does not authorize scripts
through the TACACS+ server. Because the CSS transforms all XML commands
into scripts, the CSS also does not authorize XML commands through the
TACACS+ server.
By default, authorization is disabled. When authorization is enabled, the
TACACS+ server is responsible for granting permission or denying all attempts
to issue commands.
When you enable authorization, the exchange between the TACACS+ server and
the CSS causes a delay in executing the command. Failure of the TACACS+ server
results in the failure of all authorization requests and the suspension of user
activity unless another server is reachable. To enable users to execute commands
in this case, configure a failover authentication method to a local user database.
Users must log back in to the CSS.