Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

tacplus-options

Syntax

Hierarchy Level

Description

Configure TACACS+ options for authentication and accounting.

Options

authorization-time-interval minutes

Configure the time interval at which the authorization profile that is configured on the TACACS+ server is fetched by the Junos OS device during a TACACS+ authentication session. The TACACS+ server sends the authorization profile once by default after the user is successfully authenticated, and the authorization profile is stored locally on the Junos OS device. The authorization-time-interval option enables the Junos OS device to periodically check the authorization profile configured remotely on the TACACS+ server at the configured time interval.

If there is a change in the remote authorization profile, the device fetches the authorization profile from the TACACS+ server and the authorization profile configured locally under the [edit system login class class-name] hierarchy. The device refreshes the authorization profile stored locally by combining the remote and locally-configured authorization profiles. This ensures that any changes made to the authorization profile configuration on the TACACS+ server are reflected on the Junos OS device without the user having to restart the authentication process.

To enable the periodic refresh of the authorization profile, you must set the authorization time interval at which the Junos OS device fetches the authorization profile configuration from the TACACS+ server and refreshes the authorization profile stored locally. The time interval can be configured directly on the TACACS+ server or locally on the Junos OS device using the CLI. Use the following guidelines to determine which time interval configuration takes precedence:

  • If there is no time interval configured on the TACACS+ server for periodic refresh, the Junos OS device does not receive the time interval value in the authorization response. In this case, the value configured locally on the Junos OS device will take effect.

  • If the time interval is configured on the TACACS+ server and there is no authorization time interval configured locally on the Junos OS device, the value configured on the TACACS+ server will take effect.

  • If the periodic refresh time interval is configured on the TACACS+ server and also locally on the Junos OS device, the value configured on the TACACS+ server will take precedence.

  • If there is no periodic refresh time interval configured on the TACACS+ server and there is no authorization time interval configured on the Junos OS device, there will be no periodic refresh.

  • If the periodic refresh time interval configured on the TACACS+ server is out of range or invalid, the authorization time interval value configured locally will take effect.

  • If the periodic refresh time interval configured on the TACACS+ server is out of range or invalid and there is no authorization time interval configured locally, there will be no periodic refresh.

After the periodic authorization time interval is set, if the user changes the interval before the authorization request is sent from the Junos OS device, the updated interval takes effect after the next immediate periodic refresh.

  • Default: If the authorization time interval is not configured, the authorization profile is not refreshed during a TACACS+ authentication session.

  • Range: 15 through 1440 minutes
enhanced-accounting

Configure the audit of TACACS+ authentication events, such as access method, remote port, and access privileges.
exclude-cmd-attribute

Exclude the cmd attribute value completely from start and stop accounting records to enable logging of accounting records in the correct log file on a TACACS+ server.
no-cmd-attribute-value

Set the cmd attribute value to an empty string in the TACACS+ accounting start and stop requests to enable logging of accounting records in the correct log file on a TACACS+ server.
no-strict-authorization

Don't deny login if the authorization request fails. When a user is logging in, Junos OS issues two TACACS+ requests—first the authentication request followed by the authorization request.

  • Default: By default, when the authorization request is rejected by the TACACS+ server, Junos OS ignores this and allows full access to the user. Specifying no-strict-authorization restores this default behavior.
service-name service-name

Name of the authentication service used when you configure multiple TACACS+ servers to use the same authentication service.

  • Default: junos-exec
strict-authorization

Deny login if the authorization request fails. When a user is logging in, Junos OS issues two TACACS+ requests—first the authentication request followed by the authorization request. When the strict-authorization option is specified, Junos OS denies access to the user even when the TACACS+ authorization request fails.

  • Default: By default, when the authorization request is rejected by the TACACS+ server, Junos OS ignores this and allows full access to the user.
timestamp-and-timezone

Include this statement if you want start time, stop time, and time zone attributes included in the start and stop accounting records.

Required Privilege Level

admin—To view this statement in the configuration.

admin-control—To add this statement to the configuration.

Release Information

Statement introduced before Junos OS Release 7.4.

no-cmd-attribute-value and exclude-cmd-attribute options introduced in Junos OS Release 9.3.

timestamp-and-timezone option introduced in Junos OS Release 12.2.

strict-authorization and no-strict-authorization options introduced in Junos OS Release 13.3 for EX Series, M Series, MX Series, PTX Series, and T Series. Support for these options was added to Junos OS Evolved starting in Release 21.1.

enhanced-accounting option introduced in Junos OS Release 14.1.

authorization-time-interval option introduced in Junos OS Release 17.4.

Related Documentation