TACACS+ Authentication

Configuring TACACS+ on the Switch

Syntax: tacacs-server host < ip-addr> [oobm] [key < key-string>]

Adds a TACACS+ server and optionally assigns a server-specific encryption key. The oobm parameter specifies that the operation will go out from the out-of-band management interface. If this parameter is not specified, the operation goes out from the data interface. Refer to Appendix G, “Network Out-of-Band Manage- ment” in the Management and Configuration Guide for more information on out-of-band management.

[no] tacacs-server host < ip-addr>

Removes a TACACS+ server assignment (including its server- specific encryption key, if any).

tacacs-server key <key-string>

Enters the optional global encryption key.

[no] tacacs-server key

 

Removes the optional global encryption key. (Does not affect any

 

server-specific encryption key assignments.)

 

tacacs-server timeout < 1-255 >

 

Changes the wait period for a TACACS server response. (Default:

 

5 seconds.)

 

 

Note on

Encryption keys configured in the switch must exactly match the encryption

Encryption Keys

keys configured in TACACS+ servers the switch will attempt to use for

 

authentication.

 

 

If you configure a global encryption key, the switch uses it only with servers

 

for which you have not also configured a server-specific key. Thus, a global

 

key is more useful where the TACACS+ servers you are using all have an

 

identical key, and server-specific keys are necessary where different

 

TACACS+ servers have different keys.

 

If TACACS+ server “X” does not have an encryption key assigned for the

 

switch, then configuring either a global encryption key or a server-specific key

 

in the switch for server “X” will block authentication support from server “X”.

 

 

 

 

 

 

Name

Default

Range

 

 

host <ip-addr> [key <key-string> [oobm] none

n/a

4-19