SteelHeadā„¢ Deployment Guide : Authentication, Security, Operations, and Monitoring : Authentication Features
  
Authentication Features
RiOS v5.0.x or later supports the following features (available only through the CLI):
  • Per-command Authorization - Your TACACS+ server can authorize all CLI commands with the aaa authorization per-command default command. The methods available for per-command authorization are local (default) and TACACS+.
    • To use TACACS+ for per-command authorization, configure the SteelHead for TACACS+ and define the users and commands authorized to run on your TACACS+ server. For information about how to configure your TACACS+ server, see the TACACS+ server documentation.
    Per-command authorization applies to the CLI only.
    If you do not have a TACACS+ server, use role-based accounts locally on the SteelHead to limit the Management Console and CLI commands available to users.
    For more information about configuring TACACS+ on the SteelHead see Configuring a TACACS+ Server. For details, see how to restrict user roles on Best Practices for Securing Access to SteelHeads.
  • Per-command Accounting - You always enable per-command accounting locally. You must specifically enable the command for TACACS+ by defining the TACACS+ method using the aaa accounting per-command default command. TACACS+ per-command accounting is always sent to all the configured TACACS+ servers. The local method logs the command in the system logs.
  • TACACS+ Server First Hit - When the first server hit CLI command (tacacs-server first-hit) is enabled, the SteelHead rejects authentication after the first rejection received from a TACACS+ server rather than continuing through all the TACACS+ servers in the list. This feature applies to user authentication and per-command authorization.
  • Fallback - The fallback option decides how the successive authentication methods are tried. When you enable fallback, if authentication fails, the system continues through all authentication methods (TACACS+, RADIUS, local) in the order you configure them in the authentication method list. Fallback is enabled by default. When you enable conditional fallback (aaa authentication cond-fallback) you can configure the system to only proceed beyond TACACS+ or RADIUS if the servers are unreachable. Conditional fallback enables you to reject the login once the first method rejects the attempt, instead of proceeding to the next method in the authentication method list.
  • Remote and Console Method Lists - There are two method lists: remote (ssh, Web UI) and console (serial, terminal, SteelHead, telnet). The console method requires a local method to be present, but the remote list does not. You enable the remote method using the aaa authentication login default command. You enable the console method using the aaa authentication console-login default command.