Create or edit a TACACS+ authorization policy
In this topic, you will learn how to create and assign a TACACS+ authorization policy in Portnox™ Cloud.
To understand what are policies in Portnox Cloud, what types of policies are available, and how they work together with accounts and groups, read the following topic: What are policies in Portnox Cloud?.
To understand how TACACS+ authorization works in Portnox Cloud, read the following topic: How does the Portnox Cloud TACACS+ service work?.
If you have a large network with many administrators, you may want each of them to have different privileges for configuring your NAS devices. TACACS+ authorization policies let you define specific privileges of network administrators such as the ability to access specific services or run specific commands. These policies apply only to NAS devices, not to user devices.
-
In the Cloud portal top menu, click on the Policies option.
-
In the Cloud portal left-hand menu, click on the TACACS+ AUTHORIZATION POLICIES tile.
-
In the right-hand side pane, click on the Create a new Policy link to create a new policy.
Note: You can also click on the Edit link on the right-hand side of the selected line that represents an existing policy. The creation and editing processes are almost the same.
-
In the Policy Name field, enter the name for the new policy and in the Policy
Description field, enter an optional description.
-
On the left-hand side, click on the Session-based > option, if you want to configure
session-based TACACS+ authorization.
Session-based authorization means that the NAS device will request TACACS+ authorization for the specific session. Once the session is authorized, NAS device administrator privileges depend on the authorized privilege level, configured on the NAS device.
Note: The NAS device configuration decides whether it uses session-based or command-based authorization. You can define both session-based and command-based authorization in Portnox Cloud if you use both types in your NAS devices, but each NAS device will only use one of these two groups of settings. -
On the left-hand side, click on the Command-based > option, if you want to configure
command-based TACACS+ authorization.
Command-based authorization means that the NAS device will request TACACS+ authorization for each command that the NAS administrator tries to execute.
Note: The NAS device configuration decides whether it uses session-based or command-based authorization. You can define both session-based and command-based authorization in Portnox Cloud if you use both types in your NAS devices, but each NAS device will only use one of these two groups of settings. -
To save your policy settings, click on the Save button on the bottom right of the page.
Result: You created or edited a TACACS+ authorization policy. You can now assign this policy to groups.
To assign policies to groups, see the following topic: Assign policies to a group.