How does the Portnox Cloud TACACS+ service work?

In this topic, you will learn how the Portnox™ Cloud TACACS+ service works.

The Portnox Cloud TACACS+ service is a local server. To set it up, you have two options:

• Virtual machines: You need to download a virtual machine image and its configuration, deploy it locally, and connect it to your on-premises network.
• Containers: You need to deploy a Docker container locally or in the cloud, and connect it to the on-premises network.

Then, you need to configure your NAS devices to use this local TACACS+ server for authentication, authorization, and accounting.

When a user connects to one of your NAS devices configured with TACACS+, the NAS device communicates with the local TACACS+ server.

1. The local TACACS+ server first checks user authentication by connecting to Cloud and getting authentication information from the configured authentication repository.

2. If the user is authenticated, the local TACACS+ server accesses the TACACS+ policy defined in Portnox Cloud, assigned to the user’s group.

3. The TACACS+ policy defines user authorization for services, commands, and command attributes on the NAS device. The NAS device is configured for session-based or command-based authorization. If it is configured for session-based authorization, it only requests the session to be authorized. If it is configured for command-based authorization, each command run on the NAS device needs authorization from the TACACS+ server.

4. The NAS device then reports user activity details to the TACACS+ server, and the TACACS+ server sends it to Portnox Cloud for accounting purposes. Portnox Cloud administrators can access alerts and troubleshooting logs to see user actions on the NAS devices.