How does the Portnox Cloud TACACS+ service work?

In this topic, you will learn how the Portnox™ Cloud TACACS+ service works.

The Portnox Cloud TACACS+ service is a local server. To set it up, you have two options:

  • Virtual machines: You need to download a virtual machine image and its configuration, deploy it locally, and connect it to your on-premises network.
  • Containers: You need to deploy a Docker container locally or in the cloud, and connect it to the on-premises network.

Then, you need to configure your NAS devices to use this local TACACS+ server for authentication, authorization, and accounting.

When a user connects to one of your NAS devices configured with TACACS+, the NAS device communicates with the local TACACS+ server.

  1. The local TACACS+ server first checks user authentication by connecting to the cloud RADIUS servers.

  2. If the user is authenticated, the local TACACS+ server accesses the TACACS+ policy defined in Portnox Cloud, assigned to the user’s group.

  3. The TACACS+ policy defines user authorization for services, commands, and command attributes on the NAS device. The NAS device is configured for session-based or command-based authorization. If it is configured for session-based authorization, it only requests the session to be authorized. If it is configured for command-based authorization, each command run on the NAS device needs authorization from the TACACS+ server.

  4. The NAS device then reports user activity details to the TACACS+ server, and the TACACS+ server sends it to Portnox Cloud for accounting purposes. Portnox Cloud administrators can access alerts and troubleshooting logs to see user actions on the NAS devices.

Important: The Portnox Cloud local TACACS+ does not cache the authentication/authorization information if the Internet connection is lost, because most NAS devices that support TACACS+ have internal TACACS+ caching functionality. Please refer to the manual of your device to learn how to activate TACACS+ information caching on that device.