Chapter 4
Managing GSS User Accounts Through a TACACS+ Server
Specifying TACACS+ Accounting on the GSS
When operating the GSS as a client with a TACACS+ server, the GSS may restrict
user access to all CLI commands. For example, this restriction may occur if you
specify an encryption key on the GSS by using the tacacs-server host command
(see the
"Identifying the TACACS+ Server Host on the GSS"
section), but do not
specify the same encryption key on the TACACS+ server. In this case, the CLI
command restriction takes place immediately on the GSS once you enter the aaa
authorization commands command.
You must first enter the tacacs-server host command on the GSS and then specify
the same encryption key on the TACACS+ server before you enter the aaa
authorization commands CLI command on the GSS. If the GSS fails
authorization on all CLI commands and you are unable to change the encryption
key on the TACACS+ server, power cycle the GSS. Because the CLI commands
entered prior to the power cycle were not saved in the GSS startup-configuration
file, you can regain access to the GSS CLI and redo the TACACS+ configuration.
To enable TACACS+ authorization for the GSS CLI commands, enter:
gss1.example.com(config)# aaa authorization commands
Use the no form of this command to disable the TACACS+ CLI command
authorization function. For example, enter:
gss1.example.com(config)# no aaa authorization commands
For details about limiting user access to GSS CLI commands from the TACACS+
server, see the
"Configuring Authorization Settings on the TACACS+ Server"
section.
Specifying TACACS+ Accounting on the GSS
TACACS+ accounting enables you to monitor GSS CLI commands or primary
GSSM GUI pages and user actions executed in the GSS. The information is
contained in an accounting record and is transmitted from the GSS to the
TACACS+ server. Each record can include a number of fields such as the user
name, the executed CLI command, the accessed primary GSSM GUI page and the
performed action, and the time of execution. The Cisco Secure ACS records its
logs in comma-separated value (CSV) text files. You can import CSV log files into
many popular spreadsheet applications. If required, you can generate the
CSV-exported spreadsheet as an HTML table using a number of CSV-to-HTML
applications.
Cisco Global Site Selector Administration Guide
4-25
OL-10410-01