6-13
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-03
Chapter6 Administering the Swi tc h Controlling Switch Access with TACACS+
Configuring TACACS+
This section describes how to configure your switch to support TACACS+. At a minimum, you must
identify the host or hosts maintaining the TACACS+ daemon and define the method lists for TACACS+
authentication. You can optionally define method lists for TACACS+ authorization and accounting. A
method list defines the sequence and methods to be used to authenticate, to authorize, or t o keep accounts
on a user. You can use method lists to designate one or more security protocols to be used, thus ensuring
a backup system if the initial method fails. The software uses the first method listed to authenticate, to
authorize, or to keep accounts on users; if that method d oe s no t re spo nd, t he soft wa re se lec ts th e ne xt
method in the list. This process continues until there is successful communication with a listed method
or the method list is exhausted.
This section contains this configuration information:
Default TACACS+ Configuration, page 6-13
Identifying the TACACS+ Server Host and Setting the Authentication Key, page 6-13
Configuring TACACS+ Login Authentication, page 6-14
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, page
6-16
Starting TACACS+ Accounting, page 6-17

Default TACACS+ Configuration

TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management
application.When enabled, TACACS+ can authenticate users accessing the s witch th rough t he CLI.
Note Although TACACS+ configuration is performed through the CLI, the TACACS+ server
authenticates HTTP connections that have been configured with a privilege level of 15.

Identifying the TACACS+ Server Host and Setting the Authentication Key

You can configure the switch to use a single server or AAA server groups to group existing server hosts
for authentication. You can group servers to select a subset of the configured server hosts and u se them
for a particular service. The server group is used with a global server-host list and contains the list of IP
addresses of the selected server hosts.