.. _example_system_aaa_authorization_tacacs:

######
Tacacs
######


.. sidebar:: Contents

  .. contents::
    :depth: 2
    :local:



****************************
Telnet Default Authorization
****************************

Description
===========

A TACACS+ server is added to a TACACS+ group which is
added to an AAA list. This list is assigned to the login system's
authentication. In this scenario, the default authorization mapping
is used, which maps the privilege level 0 to `monitor`, 5 to
`operator`, and 15 to `admin`. The device then starts a Telnet
session with itself to check that it can only run the commands that
role is authorized to run.

Scenario
========

.. include:: tacacs/telnetdefaultauthorization

.. raw:: html

  <hr>

********************
Telnet Privilege Map
********************

Description
===========

A TACACS+ server is added to a TACACS+ group which is
added to an AAA list. This list is assigned to the login system's
authentication. Finally, the TACACS+ 0 and 15 privilege levels are
mapped to locally defined roles. The device then starts a Telnet
session with itself to check that it can only run the commands that
role is authorized to run.

Scenario
========

.. include:: tacacs/telnetprivilegemap

.. raw:: html

  <hr>

*************************
SSH Default Authorization
*************************

Description
===========

A TACACS+ server is added to a TACACS+ group which is
added to an AAA list. This list is assigned to the SSH service's
authentication. In this scenario, the default authorization mapping
is used, which maps the privilege level 0 to `monitor`, 5 to
`operator`, and 15 to `admin`. The device then starts an SSH
session with itself to check that it can only run the commands that
role is authorized to run.

Scenario
========

.. include:: tacacs/sshdefaultauthorization

.. raw:: html

  <hr>

*****************
SSH Privilege Map
*****************

Description
===========

A TACACS+ server is added to a TACACS+ group which is
added to an AAA list. This list is assigned to the SSH service's
authentication. Finally, the TACACS+ 0 and 15 privilege levels are
mapped to locally defined roles. The device then starts an SSH
session with itself to check that it can only run the commands that
role is authorized to run.

Scenario
========

.. include:: tacacs/sshprivilegemap

.. raw:: html

  <hr>