Accounting, Command authorization and logging – Juniper Networks EX2500 User Manual
Page 30
EX2500 Ethernet Switch Configuration Guide
16
Securing Access to the Switch
If the remote user is successfully authenticated by the authentication server, the
switch verifies the privileges of the remote user and authorizes the appropriate
access. The administrator has an option to allow secure backdoor access via Telnet
or SSH. Secure backdoor provides switch access when the TACACS+ servers
cannot be reached. You always can access the switch via the console port by using
notacacs and the administrator password, whether secure backdoor is enabled or
not.
Accounting
Accounting is the action of recording a user's activities on the device for the
purposes of billing and/or security. It follows the authentication and authorization
actions. If the authentication and authorization are not performed via TACACS+,
no TACACS+ accounting messages are sent out. The EX2500 switch supports the
following TACACS+ accounting attributes:
protocol
(console, telnet, ssh, or http)
start_time
stop_time
elapsed_time
disc_cause
Command Authorization and Logging
When TACACS+ Command Authorization is enabled, EX2500 configuration
commands are sent to the TACACS+ server for authorization. Use the following
command to enable TACACS+ Command Authorization:
ex2500(config)
# tacacs-server command-authorization
When TACACS+ Command Logging is enabled, EX2500 configuration commands
are logged on the TACACS+ server. Use the following command to enable
TACACS+ Command Logging:
ex2500(config)
# tacacs-server command-logging
The following examples illustrate the format of EX2500 commands sent to the
TACACS+ server:
authorization request, cmd=shell, cmd-arg=interface ip
NOTE:
To obtain the TACACS+ backdoor password for your EX2500 switch,
contact technical support.
NOTE:
When you are using the EX2500 Web Device Manager, the TACACS+
Accounting Stop records are sent only if the Logout button on the browser is
clicked.