|
|
Terminal Access Controller Access Control System Plus (TACACS+) attribute-value (AV) pairs are used to define specific authentication, authorization, and accounting elements in a user profile, which is stored on the TACACS+ daemon. This appendix lists the TACACS+ AV pairs currently supported.
This appendix is divided into two sections:
The first section lists and describes the supported TACACS+ authentication and authorization AV pairs, and it specifies the Cisco IOS release in which they are implemented. The second section lists and describes the supported TACACS+ accounting AV pairs, and it specifies the Cisco IOS release in which they are implemented.
Table 37 lists and describes the supported TACACS+ authentication and authorization AV pairs, and it specifies the Cisco IOS release in which they are implemented.
| Attribute | Description | 11.0 | 11.1 | 11.2 | 11.3 | 12.0 | 12.1 | |||
|---|---|---|---|---|---|---|---|---|---|---|
acl=x | ASCII number representing a connection access list. Used only when service=shell. |
| yes | yes | yes | yes | yes | yes | ||
addr=x | A network address. Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=10.2.3.4. |
| yes | yes | yes | yes | yes | yes | ||
addr-pool=x | Specifies the name of a local pool from which to get the address of the remote host. Used with service=ppp and protocol=ip. Note that addr-pool works in conjunction with local pooling. It specifies the name of a local pool (which must be preconfigured on the network access server). Use the ip-local pool command to declare local pools. For example: You can then use TACACS+ to return addr-pool=boo or addr-pool=moo to indicate the address pool from which you want to get this remote node's address. |
| yes | yes | yes | yes | yes | yes | ||
autocmd=x | Specifies an autocommand to be executed at EXEC startup (for example, autocmd=telnet example.com). Used only with service=shell. |
| yes | yes | yes | yes | yes | yes | ||
callback- | Sets the telephone number for a callback (for example: callback-dialstring= |
| no | yes | yes | yes | yes | yes | ||
callback-line | The number of a TTY line to use for callback (for example: callback-line=4). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN. |
| no | yes | yes | yes | yes | yes | ||
callback-rotary | The number of a rotary group (between 0 and 100 inclusive) to use for callback (for example: callback-rotary=34). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN. |
| no | yes | yes | yes | yes | yes | ||
cmd-arg=x | An argument to a shell (EXEC) command. This indicates an argument for the shell command that is to be run. Multiple cmd-arg attributes can be specified, and they are order dependent.
|
| yes | yes | yes | yes | yes | yes | ||
cmd=x | A shell (EXEC) command. This indicates the command name for a shell command that is to be run. This attribute must be specified if service equals "shell." A NULL value indicates that the shell itself is being referred to.
|
| yes | yes | yes | yes | yes | yes | ||
data-service | No description available. |
| no | no | no | no | no | yes | ||
dial-number | Defines the number to dial. |
| no | no | no | no | no | yes | ||
dns-servers= | Identifies a DNS server (primary or secondary) that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation. To be used with service=ppp and protocol=ip. The IP address identifying each DNS server is entered in dotted decimal format. |
| no | no | no | yes | yes | yes | ||
force-56 | Determines whether the network access server uses only the 56 K portion of a channel, even when all 64 K appear to be available. |
| no | no | no | no | no | yes | ||
gw-password | Specifies the password for the home gateway during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn. |
| no | no | yes | yes | yes | yes | ||
idletime=x | Sets a value, in minutes, after which an idle session is terminated. Does not work for PPP. A value of zero indicates no timeout. |
| no | yes | yes | yes | yes | yes | ||
inacl#<n> | ASCII access list identifier for an input access list to be installed and applied to an interface for the duration of the current connection. Used with service=ppp and protocol=ip, and service service=ppp and protocol =ipx. Per-user access lists do not currently work with ISDN interfaces. |
| no | no | no | yes | yes | yes | ||
inacl=x | ASCII identifier for an interface input access list. Used with service=ppp and protocol=ip. Per-user access lists do not currently work with ISDN interfaces. |
| yes | yes | yes | yes | yes | yes | ||
interface-config= | Specifies user-specific AAA interface configuration information with Virtual Profiles. The information that follows the equal sign (=) can be any Cisco IOS interface configuration command. |
| no | no | no | yes | yes | yes | ||
ip-addresses | Space-separated list of possible IP addresses that can be used for the end-point of a tunnel. Used with service=ppp and protocol=vpdn. |
| no | no | yes | yes | yes | yes | ||
l2tp-busy- | If a vpdn-group on an LNS uses a virtual-template that is configured to be pre-cloned, this attribute will control the disposition of a new L2TP session that finds no pre-cloned interface to which to connect. If the attribute is true (the default), the session will be disconnected by the LNS. Otherwise, a new interface will be cloned from the virtual-template. |
| no | no | no | no | no | yes | ||
l2tp-cm-local- | Specifies the maximum receive window size for L2TP control messages. This value is advertised to the peer during tunnel establishment. |
| no | no | no | no | no | yes | ||
l2tp-drop-out-of- | Respects sequence numbers on data packets by dropping those that are received out of order. This does not ensure that sequence numbers will be sent on data packets, just how to handle them if they are received. |
| no | no | no | no | no | yes | ||
l2tp-hello- | Specifies the number of seconds for the hello keepalive interval. Hello packets are sent when no data has been sent on a tunnel for the number of seconds configured here. |
| no | no | no | no | no | yes | ||
l2tp-hidden-avp | When enabled, sensitive AVPs in L2TP control messages are scrambled or hidden. |
| no | no | no | no | no | yes | ||
l2tp-nosession- | Specifies the number of seconds that a tunnel will stay active with no sessions before timing out and shutting down. |
| no | no | no | no | no | yes | ||
l2tp-tos-reflect | Copies the IP ToS field from the IP header of each payload packet to the IP header of the tunnel packet for packets entering the tunnel at the LNS. |
| no | no | no | no | no | yes | ||
l2tp-tunnel- | If this attribute is set, it performs L2TP tunnel authentication. |
| no | no | no | no | no | yes | ||
l2tp-tunnel- | Shared secret used for L2TP tunnel authentication and AVP hiding. |
| no | no | no | no | no | yes | ||
l2tp-udp- | This is an authorization attribute and defines whether L2TP should perform UDP checksums for data packets. Valid values are "yes" and "no." The default is no. |
| no | no | no | no | no | yes | ||
link- | Defines whether to turn on or turn off "stac" compression over a PPP link. Link compression is defined as a numeric value as follows:
|
| no | no | no | yes | yes | yes | ||
load-threshold= | Sets the load threshold for the caller at which additional links are either added to or deleted from the multilink bundle. If the load goes above the specified value, additional links are added. If the load goes below the specified value, links are deleted. Used with service=ppp and protocol=multilink. The range for <n> is from 1 to 255. |
| no | no | no | yes | yes | yes | ||
map-class | Allows the user profile to reference information configured in a map class of the same name on the network access server that dials out. |
| no | no | no | no | no | yes | ||
max-links=<n> | Restricts the number of links that a user can have in a multilink bundle. Used with service=ppp and protocol=multilink. The range for <n> is from 1 to 255. |
| no | no | no | yes | yes | yes | ||
min-links | Sets the minimum number of links for MLP. |
| no | no | no | no | no | yes | ||
nas-password | Specifies the password for the network access server during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn. |
| no | no | yes | yes | yes | yes | ||
nocallback-verify | Indicates that no callback verification is required. The only valid value for this parameter is 1 (for example, nocallback-verify=1). Used with service=arap, service=slip, service=ppp, service=shell. There is no authentication on callback. Not valid for ISDN. |
| no | yes | yes | yes | yes | yes | ||
noescape=x | Prevents user from using an escape character. Used with service=shell. Can be either true or false (for example, noescape=true). |
| yes | yes | yes | yes | yes | yes | ||
nohangup=x | Used with service=shell. Specifies the nohangup option, which means that after an EXEC shell is terminated, the user is presented with another login (username) prompt. Can be either true or false (for example, nohangup=false). |
| yes | yes | yes | yes | yes | yes | ||
old-prompts | Allows providers to make the prompts in TACACS+ appear identical to those of earlier systems (TACACS and Extended TACACS). This allows administrators to upgrade from TACACS or Extended TACACS to TACACS+ transparently to users. |
| yes | yes | yes | yes | yes | yes | ||
outacl#<n> | ASCII access list identifier for an interface output access list to be installed and applied to an interface for the duration of the current condition. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx. Per-user access lists do not currently work with ISDN interfaces. |
| no | no | no | yes | yes | yes | ||
outacl=x | ASCII identifier for an interface output access list. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx. Contains an IP output access list for SLIP or PPP/IP (for example, outacl=4). The access list itself must be preconfigured on the router. Per-user access lists do not currently work with ISDN interfaces. |
| yes | yes | yes | yes | yes | yes | ||
pool-def#<n> | Defines IP address pools on the network access server. Used with service=ppp and protocol=ip. |
| no | no | no | yes | yes | yes | ||
pool-timeout= | Defines (in conjunction with pool-def) IP address pools on the network access server. During IPCP address negotiation, if an IP pool name is specified for a user (see the addr-pool attribute), a check is made to see if the named pool is defined on the network access server. If it is, the pool is consulted for an IP address. |
| no | no | yes | yes | yes | yes | ||
port-type | Indicates the type of physical port the network access server is using to authenticate the user. Physical ports are indicated by a numeric value as follows:
|
| no | no | no | no | no | yes | ||
ppp-vj-slot- | Instructs the Cisco router not to use slot compression when sending VJ-compressed packets over a PPP link. |
| no | no | no | yes | yes | yes | ||
priv-lvl=x | Privilege level to be assigned for the EXEC. Used with service=shell. Privilege levels range from 0 to 15, with 15 being the highest. |
| yes | yes | yes | yes | yes | yes | ||
protocol=x | A protocol that is a subset of a service. An example would be any PPP NCP. Currently known values are lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, osicp, deccp, ccp, cdp, bridging, xns, nbf, bap, multilink, and unknown. |
| yes | yes | yes | yes | yes | yes | ||
proxyacl#<n> | Allows users to configure the downloadable user profiles (dynamic ACLs) by using the authentication proxy feature so that users can have the configured authorization to permit traffic going through the configured interfaces. |
| no | no | no | no | no | yes | ||
route | Specifies a route to be applied to an interface. Used with service=slip, service=ppp, and protocol=ip. During network authorization, the route attribute can be used to specify a per-user static route, to be installed by TACACS+ as follows: This indicates a temporary static route that is to be applied. The dst_address, mask, and gateway are expected to be in the usual dotted-decimal notation, with the same meanings as in the familiar ip route configuration command on a network access server. If gateway is omitted, the peer's address is the gateway. The route is expunged when the connection terminates. |
| no | yes | yes | yes | yes | yes | ||
route#<n> | Like the route AV pair, this specifies a route to be applied to an interface, but these routes are numbered, allowing multiple routes to be applied. Used with service=ppp and protocol=ip, and service=ppp and protocol=ipx. |
| no | no | no | yes | yes | yes | ||
routing=x | Specifies whether routing information is to be propagated to and accepted from this interface. Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false (for example, routing=true). |
| yes | yes | yes | yes | yes | yes | ||
rte-fltr-in#<n> | Specifies an input access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. |
| no | no | no | yes | yes | yes | ||
rte-fltr-out#<n> | Specifies an output access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx. |
| no | no | no | yes | yes | yes | ||
sap#<n> | Specifies static Service Advertising Protocol (SAP) entries to be installed for the duration of a connection. Used with service=ppp and protocol=ipx. |
| no | no | no | yes | yes | yes | ||
sap-fltr-in#<n> | Specifies an input SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx. |
| no | no | no | yes | yes | yes | ||
sap-fltr-out#<n> | Specifies an output SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx. |
| no | no | no | yes | yes | yes | ||
send-auth | Defines the protocol to use (PAP or CHAP) for username-password authentication following CLID authentication. |
| no | no | no | no | no | yes | ||
send-secret | Specifies the password that the NAS needs to respond to a chap/pap request from the remote end of a connection on an outgoing call. |
| no | no | no | no | no | yes | ||
service=x | The primary service. Specifying a service attribute indicates that this is a request for authorization or accounting of that service. Current values are slip, ppp, arap, shell, tty-daemon, connection, and system. This attribute must always be included. |
| yes | yes | yes | yes | yes | yes | ||
source-ip=x | Used as the source IP address of all VPDN packets generated as part of a VPDN tunnel. This is equivalent to the Cisco vpdn outgoing global configuration command. |
| no | no | yes | yes | yes | yes | ||
spi | Carries the authentication information needed by the home agent to authenticate a mobile node during registration. The information is in the same syntax as the ip mobile secure host <addr> configuration command. Basically it contains the rest of the configuration command that follows that string, verbatim. It provides the Security Parameter Index (SPI), key, authentication algorithm, authentication mode, and replay protection timestamp range. |
| no | no | no | no | no | yes | ||
timeout=x | The number of minutes before an EXEC or ARA session disconnects (for example, timeout=60). A value of zero indicates no timeout. Used with service=arap. |
| yes | yes | yes | yes | yes | yes | ||
tunnel-id | Specifies the username that will be used to authenticate the tunnel over which the individual user MID will be projected. This is analogous to the remote name in the vpdn outgoing command. Used with service=ppp and protocol=vpdn. |
| no | no | yes | yes | yes | yes | ||
wins-servers= | Identifies a Windows NT server that can be requested by Microsoft PPP clients from the network access server during IPCP negotiation. To be used with service=ppp and protocol=ip. The IP address identifying each Windows NT server is entered in dotted decimal format. |
| no | no | no | yes | yes | yes | ||
zonelist=x | A numeric zonelist value. Used with service=arap. Specifies an AppleTalk zonelist for ARA (for example, zonelist=5). |
| yes | yes | yes | yes | yes | yes |
Table 38 lists and describes the supported TACACS+ accounting AV pairs, and it specifies the Cisco IOS release in which they are implemented.
| Attribute | Description | 11.0 | 11.1 | 11.2 | 11.3 | 12.0 | 12.1 | |
|---|---|---|---|---|---|---|---|---|
Abort-Cause | If the fax session aborts, indicates the system component that signaled the abort. Examples of system components that could trigger an abort are FAP (Fax Application Process), TIFF (the TIFF reader or the TIFF writer), fax-mail client, fax-mail server, ESMTP client, or ESMTP server. |
| no | no | no | no | no | yes |
bytes_in | The number of input bytes transferred during this connection. |
| yes | yes | yes | yes | yes | yes |
bytes_out | The number of output bytes transferred during this connection. |
| yes | yes | yes | yes | yes | yes |
Call-Type | Describes the type of fax activity: fax receive or fax send. |
| no | no | no | no | no | yes |
cmd | The command the user executed. |
| yes | yes | yes | yes | yes | yes |
data-rate | This AV pair has been renamed. See nas-rx-speed. | |||||||
disc-cause | Specifies the reason a connection was taken off-line. The Disconnect-Cause attribute is sent in accounting-stop records. This attribute also causes stop records to be generated without first generating start records if disconnection occurs before authentication is performed. Refer to Table 39 for a list of Disconnect-Cause values and their meanings. |
| no | no | no | yes | yes | yes |
disc-cause-ext | Extends the disc-cause attribute to support vendor-specific reasons why a connection was taken off-line. |
| no | no | no | yes | yes | yes |
elapsed_time | The elapsed time in seconds for the action. Useful when the device does not keep real time. |
| yes | yes | yes | yes | yes | yes |
Email-Server- | Indicates the IP address of the e-mail server handling the on-ramp fax-mail message. |
| no | no | no | no | no | yes |
Email-Server-Ack- | Indicates that the on-ramp gateway has received a positive acknowledgment from the e-mail server accepting the fax-mail message. |
| no | no | no | no | no | yes |
event | Information included in the accounting packet that describes a state change in the router. Events described are accounting starting and accounting stopping. |
| yes | yes | yes | yes | yes | yes |
Fax-Account-Id- | Indicates the account ID origin as defined by system administrator for the mmoip aaa receive-id or the mmoip aaa send-id command. |
| no | no | no | no | no | yes |
Fax-Auth-Status | Indicates whether or not authentication for this fax session was successful. Possible values for this field are success, failed, bypassed, or unknown. |
| no | no | no | no | no | yes |
Fax-Connect-Speed | Indicates the modem speed at which this fax-mail was initially transmitted or received. Possible values are 1200, 4800, 9600, and 14400. |
| no | no | no | no | no | yes |
Fax-Coverpage-Flag | Indicates whether or not a cover page was generated by the off-ramp gateway for this fax session. True indicates that a cover page was generated; false means that a cover page was not generated. |
| no | no | no | no | no | yes |
Fax-Dsn-Address | Indicates the address to which DSNs will be sent. |
| no | no | no | no | no | yes |
Fax-Dsn-Flag | Indicates whether or not DSN has been enabled. True indicates that DSN has been enabled; false means that DSN has not been enabled. |
| no | no | no | no | no | yes |
Fax-Mdn-Address | Indicates the address to which MDNs will be sent. |
| no | no | no | no | no | yes |
Fax-Mdn-Flag | Indicates whether or not message delivery notification (MDN) has been enabled. True indicates that MDN had been enabled; false means that MDN had not been enabled. |
| no | no | no | no | no | yes |
Fax-Modem-Time | Indicates the amount of time in seconds the modem sent fax data (x) and the amount of time in seconds of the total fax session (y), which includes both fax-mail and PSTN time, in the form x/y. For example, 10/15 means that the transfer time took 10 seconds, and the total fax session took 15 seconds. |
| no | no | no | no | no | yes |
Fax-Msg-Id= | Indicates a unique fax message identification number assigned by Store and Forward Fax. |
| no | no | no | no | no | yes |
Fax-Pages | Indicates the number of pages transmitted or received during this fax session. This page count includes cover pages. |
| no | no | no | no | no | yes |
Fax-Process-Abort- | Indicates that the fax session was aborted or successful. True means that the session was aborted; false means that the session was successful. |
| no | no | no | no | no | yes |
Fax-Recipient-Count | Indicates the number of recipients for this fax transmission. Until e-mail servers support Session mode, the number should be 1. |
| no | no | no | no | no | yes |
Gateway-Id | Indicates the name of the gateway that processed the fax session. The name appears in the following format: hostname.domain-name |
| no | no | no | no | no | yes |
mlp-links-max | Gives the count of links which are known to have been in a given multilink session at the time the accounting record is generated. |
| no | no | no | yes | yes | yes |
mlp-sess-id | Reports the identification number of the multilink bundle when the session closes. This attribute applies to sessions that are part of a multilink bundle. This attribute is sent in authentication-response packets. |
| no | no | no | yes | yes | yes |
nas-rx-speed | Specifies the average number of bits per second over the course of the connection's lifetime. This attribute is sent in accounting-stop records. |
| no | no | no | yes | yes | yes |
nas-tx-speed | Reports the transmit speed negotiated by the two modems. |
| no | no | no | yes | yes | yes |
paks_in | The number of input packets transferred during this connection. |
| yes | yes | yes | yes | yes | yes |
paks_out | The number of output packets transferred during this connection. |
| yes | yes | yes | yes | yes | yes |
port | The port the user was logged in to. |
| yes | yes | yes | yes | yes | yes |
Port-Used | Indicates the slot/port number of the Cisco AS5300 used to either transmit or receive this fax-mail. |
| no | no | no | no | no | yes |
pre-bytes-in | Records the number of input bytes before authentication. This attribute is sent in accounting-stop records. |
| no | no | no | yes | yes | yes |
pre-bytes-out | Records the number of output bytes before authentication. This attribute is sent in accounting-stop records. |
| no | no | no | yes | yes | yes |
pre-paks-in | Records the number of input packets before authentication. This attribute is sent in accounting-stop records. |
| no | no | no | yes | yes | yes |
pre-paks-out | Records the number of output packets before authentication. The Pre-Output-Packets attribute is sent in accounting-stop records. |
| no | no | no | yes | yes | yes |
pre-session-time | Specifies the length of time, in seconds, from when a call first connects to when it completes authentication. |
| no | no | no | yes | yes | yes |
priv_level | The privilege level associated with the action. |
| yes | yes | yes | yes | yes | yes |
protocol | The protocol associated with the action. |
| yes | yes | yes | yes | yes | yes |
reason | Information included in the accounting packet that describes the event that caused a system change. Events described are system reload, system shutdown, or when accounting is reconfigured (turned on or off). |
| yes | yes | yes | yes | yes | yes |
service | The service the user used. |
| yes | yes | yes | yes | yes | yes |
start_time | The time the action started (in seconds since the epoch, 12:00 a.m. Jan 1 1970). The clock must be configured to receive this information. |
| yes | yes | yes | yes | yes | yes |
stop_time | The time the action stopped (in seconds since the epoch.) The clock must be configured to receive this information. |
| yes | yes | yes | yes | yes | yes |
task_id | Start and stop records for the same event must have matching (unique) task_id numbers. |
| yes | yes | yes | yes | yes | yes |
timezone | The time zone abbreviation for all timestamps included in this packet. |
| yes | yes | yes | yes | yes | yes |
xmit-rate | This AV pair has been renamed. See nas-tx-speed. | |||||||
Table 39 lists the values and descriptions for the Disconnect Cause (disc-cause) attribute.
| Value | Description |
|---|---|
CLID-Authentication-Failure (4) | Failure to authenticate calling-party number. |
Control-C-Detected (27) | Control-C detected. This value applies to EXEC sessions. |
EXEC-Process-Destroyed (28) | EXEC process destroyed. This value applies to EXEC sessions. |
Exit-Raw-TCP (24) | Disconnect due to exiting raw TCP. This value applies to EXEC sessions. |
Exit-Telnet-Session (22) | Disconnect due to exiting Telnet session. This value applies to EXEC sessions. |
Failed-PPP-CHAP-Auth (43) | PPP CHAP authentication failed. This value applies to PPP sessions. |
Failed-PPP-LCP-Negotiation (41) | PPP LCP negotiation failed. This value applies to PPP sessions. |
Failed-PPP-PAP-Auth-Fail (42) | PPP PAP authentication failed. This value applies to PPP sessions. |
Failed-PPP-Remote-Auth (44) | PPP remote authentication failed. This value applies to PPP sessions. |
Idle-Timeout (21) | Timeout waiting for user input. This value applies to all session types. |
Invalid-Protocol (120) | Call refused because the detected protocol is disabled. This value applies to all session types. |
Lost-Carrier (11) | Loss of carrier. This value applies to modem connections. |
No-Carrier (10) | No carrier detected. This value applies to modem connections. |
No-Detected-Result-Codes (12) | Failure to detect modem result codes. This value applies to modem connections. |
No-Remote-IP-Addr (23) | Could not switch to SLIP/PPP; the remote end has no IP address. This value applies to EXEC sessions. |
Password-Fail (25) | Bad passwords. This value applies to EXEC sessions. |
PPP-Closed-Event (46) | Upper layer requested that the session be closed. This value applies to PPP sessions. |
PPP-Remote-Terminate (45) | PPP received a Terminate Request from remote end. This value applies to PPP sessions. |
Raw-TCP-Disabled (26) | Raw TCP disabled. This value applies to EXEC sessions. |
Session-End-Callback (102) | Session terminated due to callback. This value applies to session types. |
Session-Failed-Security (101) | Session failed for security reasons. This value applies to session types. |
Session-Timeout (100) | Session timed out. This value applies to all session types. |
Timeout-PPP-LCP (40) | PPP LCP negotiation timed out. This value applies to PPP sessions. |
Unknown (2) | Reason unknown. |
User-Ends-Session (20) | User terminates a session. This value applies to EXEC sessions. |
For more information about configuring TACACS+, refer to the "Configuring TACACS+" chapter. For more information about configuring TACACS+ accounting, refer to the "Configuring Accounting" chapter.
Posted: Tue Jul 18 13:20:51 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.
