Brocade Communications Systems 6650 Specifying different servers for individual AAA functions, Setting optional TACACS and TACACS+ parameters

32 Brocade ICX 6650 Security Configuration Guide

53-1002601-01

TACACS and TACACS+ security

The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of the

authentication port on the server. The default port number is 49.

Specifying different servers for individual AAA functions

In a TACACS+ configuration, you can designate a server to handle a specific AAA task. For example,

you can designate one TACACS+ server to handle authorization and another TACACS+ server to

handle accounting. You can set the TACACS+ key for each server.

To specify different TACACS+ servers for authentication, authorization, and accounting, enter the

command such as following.

Syntax: tacacs-server host ip-addr | ipv6-addr | server-name [auth-port num] [authentication-only

| authorization-only | accounting-only | default] [key 0 | 1 string]

The default parameter causes the server to be used for all AAA functions.

After authentication takes place, the server that performed the authentication is used for

authorization and accounting. If the authenticating server cannot perform the requested function,

then the next server in the configured list of servers is tried; this process repeats until a server that

can perform the requested function is found, or every server in the configured list has been tried.

Setting optional TACACS and TACACS+ parameters

You can set the following optional parameters in a TACACS and TACACS+ configuration:

•TACACS+ key – This parameter specifies the value that the Brocade device sends to the

TACACS+ server when trying to authenticate user access.

•Retransmit interval – This parameter specifies how many times the Brocade device will resend

an authentication request when the TACACS/TACACS+ server does not respond. The retransmit

value can be from 1 – 5 times. The default is 3 times.

•Dead time – This parameter specifies how long the Brocade device waits for the primary

authentication server to reply before deciding the server is dead and trying to authenticate

using the next server. The dead-time value can be from 1 – 5 seconds. The default is 3

seconds.

•Timeout – This parameter specifies how many seconds the Brocade device waits for a

response from a TACACS/TACACS+ server before either retrying the authentication request, or

determining that the TACACS/TACACS+ servers are unavailable and moving on to the next

authentication method in the authentication-method list. The timeout can be from 1 – 15

seconds. The default is 3 seconds.

Brocade(config)# tacacs-server host 10.2.3.4 auth-port 49 authentication-only

key abc

Brocade(config)# tacacs-server host 10.2.3.5 auth-port 49 authorization-only key

def

Brocade(config)# tacacs-server host 10.2.3.6 auth-port 49 accounting-only key

ghi