TACACS+ server configuration

Command: /cfg/sys/tacacs+

[TACACS+ Server Menu]

 

prisrv

- Set IP address

of primary TACACS+ server

secsrv

- Set IP address

of secondary TACACS+ server

secret

- Set secret for

primary TACACS+ server

secret2

- Set secret for

secondary TACACS+ server

port

- Set TACACS+ port number

retries

- Set number of TACACS+ server retries

timeout

- Set timeout value of TACACS+ server retries

telnet

- Enable/disable

TACACS+ back door for telnet/ssh/http/https

secbd

- Enable/disable TACACS+ secure backdoor for telnet/ssh/http/https

cmap

- Enable/disable

TACACS+ new privilege level mapping

usermap

- Set user privilege mappings

on

- Enable TACACS+

authentication

off

- Disable TACACS+ authentication

cur

- Display current TACACS+ settings

 

 

 

TACACS+ (Terminal Access Controller Access Control System) is an authentication protocol that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system. TACACS+ and Remote Authentication Dial-In User Service (RADIUS) protocols are more secure than the TACACS encryption protocol. TACACS+ is described in RFC 1492.

TACACS+ protocol is more reliable than RADIUS, as TACACS+ uses the Transmission Control Protocol (TCP) whereas RADIUS uses the User Datagram Protocol (UDP). Also, RADIUS combines authentication and authorization in a user profile, whereas TACACS+ separates the two operations.

TACACS+ offers the following advantages over RADIUS as the authentication device:

TACACS+ is TCP-based, so it facilitates connection-oriented traffic.

It supports full-packet encryption, as opposed to password-only in authentication requests.

It supports decoupled authentication, authorization, and accounting.

The following table describes the TACACS+ Server Configuration Menu options.

Table 84 TACACS+ Server Configuration Menu options

Command

Description

 

 

prisrv <IP address>

Defines the primary TACACS+ server address. For example,

 

100.10.1.1

 

 

secsrv <IP address>

Defines the secondary TACACS+ server address. For example,

 

100.10.1.2

 

 

secret <1-32 characters>

This is the shared secret between the switch and the TACACS+ server(s).

 

 

secret2 <1-32 characters>

This is the secondary shared secret between the switch and the TACACS+

 

server(s).

 

 

port <TCP port number>

Enter the number of the TCP port to be configured, between 1 - 65000.

 

The default is 49.

 

 

retries <1-3>

Sets the number of failed authentication requests before switching to a

 

different TACACS+ server. The range is 1-3 requests. The default is 3

 

requests.

 

 

timeout <4-15>

Sets the amount of time, in seconds, before a TACACS+ server

 

authentication attempt is considered to have failed. The range is 4-15

 

seconds. The default is 5 seconds.

 

 

telnet enabledisable

Enables or disables the TACACS+ back door for telnet. The telnet

 

command also applies to SSH/SCP connections and the Browser-based

 

Interface (BBI). This command does not apply when secure backdoor

 

(secbd) is enabled.

secbd enabledisable

Enables or disables the TACACS+ back door using secure password for telnet/SSH/ HTTP/HTTPS. This command does not apply when backdoor (telnet) is enabled.

cmap enabledisable

Enables or disables TACACS+ privilege-level mapping. The default value is disabled.

Configuration Menu 94