Cisco Systems OL-5650-02

4-9

Cisco Content Services Switch Security Configuration Guide

OL-5650-02

Chapter4 Configuring the CSS as a Client of a TACACS+ Server

Defining a TACACS+ Server

Note For general guidelines on the recommended setup of a TACACS+ server (the

Cisco Secure Access Control Server in this example), see the “TACACS+

Configuration Quick Start” section.

To apply a TACACS+ global attribute, such as the timeout period, keepalive

frequency, or shared secret, to a TACACS+ server, you must configure the global

attribute before you configure the server. To apply a modified global attribute to

a configured CSS TACACS+ server, remove the server and reconfigure it.

Use the tacacs-server command to define a server. You must provide the IP

address and port number for the server. You can optionally define the timeout

period and encryption key and designate the server as the primary server.

The syntax for this global configuration command is:

tacacs-server ip_address port {timeout [“cleartext_key”|des_key]}

{primary} {frequency number}

The variables and options for this command are as follows:

•ip_address - The IP address of the TACACS+ server. Enter the IP address in

dotted-decimal format.

•port - The TCP port of TACACS+ server. The default port is 49. You can

enter a port number from 1 to 65535.

•timeout - (Optional) The amount of time to wait for a response from the

server. Enter a number from 1 to 255. The default is 5 seconds. Defining this

option overrides the tacacs-server timeout command. For more information

on the TACACS+ timeout period and setting a global timeout, see the “Setting

the Global CSS TACACS+ Timeout Period” section.

•“cleartext_key”|des_key - (Optional) The shared secret between the CSS and

the server. You must define an encryption key to encrypt TACACS+ packet

transactions between the CSS and the TACACS+ server. If you do not define

an encryption key, packets are not encrypted.

The shared secret value is identical to the one on the TACACS+ server. The

shared secret key can be either clear text entered in quotes or the

DES-encrypted secret entered without quotes. The clear text key is

DES-encrypted before it is placed in the running configuration. Either key

type can have a maximum of 100 characters.