Log In and Out with TACACS+

After the PacketShaper and the TACACS+ server are configured to work together, users can log in to PacketShaper using their TACACS+ credentials.

Caution: In PacketShaper versions prior to 11.10.3, CLI login using TACACS+ credentials wasnot active until the user first logged in through the browser interface. In other words, TACACS+ users had to login once through the browser before they could have CLI access. This additional step is no longer required in PS 11.10.3 and higher.

Even when TACACS+ is enabled, users can still log in with their local credentials (user name of look or touch). This allows the user to log in without authenticating through the TACACS+ server. This is especially useful when the TACACS+ server is down or if PacketShaper is unable to connect to the TACACS+ server. However, the local login technique does not record user names for auditing purposes.

Logging In with TACACS+

After TACACS+ authentication and/or accounting is enabled, the user will be prompted for a user name and password when logging into the PacketShaper browser or command-line interface. The user name can be up to 63 ASCII characters and may include a realm. PacketShaper consults the configured TACACS+ server to determine whether the user has access to the unit and verifies that the password is correct. PacketShaper first tries the primary server, and if it doesn't respond within the specified timeout interval or if the connection is refused or reset, it attempts to connect to the secondary server (if configured).

Note: Starting in PS 11.10.3, if the TACACS+ primary server has an authentication failure, PacketShaper attempts to log onto a configured secondary server; in earlier versions, PacketShaper attempted to log onto the secondary server only when the primary server had a connection failure and failed to respond.

Any failed login attempts will be sent to a Syslog server, if one has been defined. See Set Up Syslog.

Logging Out

For audit trail and security purposes, users should explicitly log out of PacketShaper:

  • To log out of the browser interface, click the LOG OUT link in the banner.
  • To log out of the command-line interface, type exit.

Logging out discards session content and generates a TACACS+ accounting TAC_PLUS_ACCT_FLAG_STOP message for the user. If a user doesn't explicitly log out, PacketShaper will automatically time out after one hour of inactivity (although the time may be learned per-session from the TACACS+ server). When a PacketShaper browser session times out, a "timed out" or "unknown session" message appears the next time the user attempts to use PacketShaper. When a remote login (such as Telnet) session times out, PacketShaper sends a "timed out" message and disconnects. Note that asynchronous sessions do not time out.

Note: When the Sky user interface has been loaded, the real-time graphs are constantly polling the PacketShaper so the session does not time out.

Related Topics Link IconRelated Topics