BigIron RX Series Configuration Guide 8553-1001986-01Configuring TACACS and TACACS+ security 4TACACS and TACACS+ authentication, authorization,and accountingWhen you configure a device to use a TACACS and TACACS+ server for authentication, the deviceprompts users who are trying to access the CLI for a user name and password, then verifies thepassword with the TACACS and TACACS+ server.If you are using TACACS+, Brocade recommends that you also configure authorization, in which thedevice consults a TACACS+ server to determine which management privilege level (and whichassociated set of commands) an authenticated user is allowed to use. You can also optionallyconfigure accounting, which causes the device to log information on the TACACS+ server whenspecified events occur on the device.NOTEBy default, a user logging into the device through Telnet or SSH would first enter the User EXEC level.The user can enter the enable command to get to the Privileged EXEC level.A user that is successfully authenticated can be automatically placed at the Privileged EXEC levelafter login. Refer to “Entering privileged EXEC mode after a Telnet or SSH login” on page 93.TACACS authenticationNOTEAlso, multiple challenges are supported for TACACS+ login authentication.When TACACS authentication takes place, the following events occur.1. A user attempts to gain access to the device by doing one of the following:• Logging into the device using Telnet, SSH, or the Web management interface• Entering the Privileged EXEC level or CONFIG level of the CLI2. The user is prompted for a username and password.3. The user enters a username and password.4. The device sends a request containing the username and password to the TACACS server.5. The username and password are validated in the TACACS server’s database.6. If the password is valid, the user is authenticated.TACACS+ authenticationWhen TACACS+ authentication takes place, the following events occur.1. A user attempts to gain access to the device by doing one of the following:• Logging into the device using Telnet, SSH, or the Web management interface• Entering the Privileged EXEC level or CONFIG level of the CLI2. The user is prompted for a username.3. The user enters a username.4. The device obtains a password prompt from a TACACS+ server.