Cisco Systems OL-5650-02 Defining a Global Encryption Key, Setting the Global TACACS+ Keepalive Frequency

4-7

Cisco Content Services Switch Security Configuration Guide

OL-5650-02

Chapter4 Configuring the CSS as a Client of a TACACS+ Server

Configuring Global TACACS+ Attributes

Defining a Global Encryption Key

The CSS allows you to define a global encryption key for communications with

all configured TACACS+ servers. To encrypt TACACS+ packet transactions

between the CSS and the TACACS+ server, you must define an encryption key.

If you do not define an encryption key, packets are not encrypted. The key is a

shared secret value that is identical to the one on the TACACS+ server. Use the

tacacs-server key command to specify a shared secret between the CSS and the

server.

The shared secret key can be either clear text entered in quotes or the

DES-encrypted secret. The clear text key is DES-encrypted before it is placed in

the running configuration. Either key type can have a maximum of 100characters.

The CSS dynamically applies the modified key and the new value automatically

takes effect on the next TACACS+ connection.

For example, to define the clear text key, enter:

#(config) tacacs-server key “market”

To define a DES-encrypted key, enter:

#(config) tacacs-server key acskefterefesdtx

To remove the key, enter:

#(config) no tacacs-server key

Note A shared secret that you configure when you specify a TACACS+ server

overrides the global encryption key (see the “Defining a TACACS+ Server”

section).

Setting the Global TACACS+ Keepalive Frequency

The CSS allows you to define a global keepalive frequency for use with all

configured TACACS+ servers. To determine the availability of the TACACS+

servers, the CSS sends periodic TCP keepalive probes to them. If the server does

not respond to the probe within the configured timeout period, the CSS considers

the server unavailable.