Cisco Systems Understanding TACACS Server Key and Its Configuration in Cisco IOS XR

Page 84

Authentication, Authorization, and Accounting Commands on Cisco IOS XR Software

tacacs-server key

tacacs-server key

To set the authentication encryption key used for all TACACS+ communications between the HF and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. To disable the key, use the no form of this command.

tacacs-server key key-nameno tacacs-server key

Syntax Description

key-name

Name of the key used to set authentication and encryption. This key name must match

 

 

the key used on the TACACS+ daemon. This key name applies to all servers that have

 

 

no individual keys specified.

 

 

 

Defaults

Command Modes

Command History

No default behavior or values

Global configuration

Release

Modification

Release 2.0

This command was introduced on the Cisco CRS-1.

 

 

Release 3.0

No modification.

 

 

Release 3.2

This command was supported on the Cisco XR 12000 Series Router.

 

 

Release 3.3.0

No modification.

 

 

Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

The key name entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and after the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

The TACACS server key is used only if no key is configured for an individual TACACS server. Keys configured for an individual TACACS server always override this global key configuration.

Task ID

 

Task ID

Operations

 

 

aaa

read, write

 

 

 

 

 

 

 

Examples

 

The following example sets the authentication and encryption key to key1:

 

 

RP/0/RP0/CPU0:router(config)# tacacs-server key key1

Cisco IOS XR System Security Command Reference

SR-84

Image 84
Contents SR-1 Aaa accounting SR-2Creates a method list to be used for authorization Aaa Read, writeSR-3 Aaa accounting system default SR-4Creates a method list for authentication Creates a method list for authorizationSR-5 Aaa authentication SR-6Radius, group named-group,local, or line options Creates a method list for accountingSR-7 Command Description SR-8Aaa authorization NetworkLocal SR-9SR-10 Which specifies that TACACS+ authorization is used SR-11Aaa default-taskgroup SR-12Aaa group server radius SR-13Comprises three member servers SR-14Aaa group server tacacs+ SR-15SR-16 Aaa accounting command AccountingSR-17 List named listname2 on a line template named configure SR-18Authorization Authorization commandSR-19 Listname4 on a line template named configure SR-20Deadtime server-group configuration Deadtime minutes no deadtimeSR-21 Related Commands Description SR-22Description AAA Description string No descriptionSR-23 Taskgroup SR-24Group SR-25Task ID Examples SR-26Inherit taskgroup SR-27SR-28 Inherit usergroup Inherit usergroup usergroup-nameSR-29 Sales user group SR-30Login authentication Authentication login commandSR-31 SR-32 Password AAA Password 0 7 password No password 0 7 passwordSR-33 SR-34 Radius-server dead-criteria time SR-35SR-36 Radius-server dead-criteria tries SR-37Dead-criteria time SR-38Radius-server deadtime Radius-server deadtime minutes No radius-server deadtimeSR-39 SR-40 Timeout seconds Radius-server hostRetransmit retries SR-41SR-42 SR-43 Radius-server key SR-44Specifies a Radius server host SR-45Radius-server retransmit SR-46Radius-server timeout Radius-server timeout seconds No radius-server timeoutSR-47 Radius source-interface SR-48Outgoing Radius packets SR-49Secret Secret 0 5 secret no secret 0 5 secretSR-50 SR-51 Server Radius SR-52SR-53 Server TACACS+ SR-54Groups different TACACS+ server hosts into distinct lists SR-55Show aaa SR-56SR-57 Aaa usergroup operatorSR-58 Displays task IDs enabled for the currently logged-in user SR-59If no radius servers are configured, no output is displayed Show radiusShow radius SR-60Field Description SR-61Show radius accounting Show radius accountingSR-62 Show radius authentication SR-63Show radius authentication Show radius authenticationSR-64 Show radius accounting SR-65Show radius client Show radius clientSR-66 SR-67 Show radius dead-criteria SR-68SR-69 No default behavior or values Show radius server-groupsShow radius server-groups SR-70Field Description SR-71Show tacacs Show tacacsSR-72 SR-73 Show tacacs server-groups Show tacacs server-groupsSR-74 SR-75 Show task supported Show task supportedSR-76 SR-77 Ouni pkg-mgmt pos-dpt pppShow user SR-78SR-79 User allSR-80 SR-81 Tacacs-server host SR-82SR-83 Tacacs-server key Tacacs-server key key-nameno tacacs-server keySR-84 Specifies a TACACS+ host SR-85Tacacs-server timeout Tacacs-server timeout seconds No tacacs-server timeoutSR-86 Tacacs source-interface SR-87Aaa group server radius SR-88Task WriteExecute DebugSR-90 Taskgroup SR-91Creates a task group description in task configuration mode Adds a task ID to a task groupSR-92 Timeout login response SR-93Enables AAA authentication for logins SR-94Usergroup SR-95Creates a description of a task group during configuration SR-96Username SR-97Defines a method list for authentication Creates a login password for a userAdds a user to a group SR-98Users group SR-99Given operator privileges SR-100