TACACS+ (Terminal Access Controller Access Control System) is an authentication protocol that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system. TACACS+ and Remote Authentication Dial-In User Service (RADIUS) protocols are more secure than the TACACS encryption protocol. TACACS+ is described in RFC 1492.

TACACS+ protocol is more reliable than RADIUS, as TACACS+ uses the Transmission Control Protocol (TCP) whereas RADIUS uses the User Datagram Protocol (UDP). Also, RADIUS combines authentication and authorization in a user profile, whereas TACACS+ separates the two operations.

TACACS+ offers the following advantages over RADIUS as the authentication device:

TACACS+ is TCP-based, so it facilitates connection-oriented traffic.

It supports full-packet encryption, as opposed to password-only in authentication requests.

It supports decoupled authentication, authorization, and accounting.The following table describes the TACACS+ Server Configuration Menu options.Table 82 TACACS+ Server Configuration Menu options

Command

Description

 

 

prisrv <IP address>

Defines the primary TACACS+ server address.

 

 

secsrv <IP address>

Defines the secondary TACACS+ server address.

 

 

secret <1-32 characters>

This is the shared secret between the switch and the TACACS+ server(s).

 

 

secret2 <1-32 characters>

This is the secondary shared secret between the switch and the TACACS+

 

server(s).

 

 

port <TCP port number>Enter the number of the TCP port to be configured, between 1 - 65000. The

 

default is 49.

 

 

retries <1-3>

Sets the number of failed authentication requests before switching to a different

 

TACACS+ server. The range is 1-3 requests. The default is 3 requests.

 

 

timeout <4-15>Sets the amount of time, in seconds, before a TACACS+ server authentication

 

attempt is considered to have failed. The range is 4-15 seconds. The default is 5

 

seconds.

 

 

telnet enabledisable

Enables or disables the TACACS+ back door for telnet. The telnet command

 

also applies to SSH/SCP connections and the Browser-based Interface (BBI). This

 

command does not apply when secure backdoor (secbd) is enabled.

secbd enabledisable

Enables or disables the TACACS+ back door using secure password for telnet/SSH/ HTTP/HTTPS. This command does not apply when backdoor (telnet) is enabled.

cmap enabledisable

Enables or disables TACACS+ privilege-level mapping. The default value is disabled.

usermap <0-15>

Maps a TACACS+ authorization level to a GbE2c user level. Enter a TACACS+

 

useroperadminnone

authorization level (0-15), followed by the corresponding GbE2c user level.

 

 

 

 

on

Enables the TACACS+ server.

 

 

 

 

off

Disables the TACACS+ server.

 

 

 

 

cur

Displays current TACACS+ configuration parameters.

 

 

 

 

 

 

 

IMPORTANT: If TACACS+ is enabled, you must login using TACACS+ authentication when connecting via the console or Telnet/SSH/HTTP/HTTPS. Backdoor for console is always enabled, so you can connect using notacacs and the administrator password even if the backdoor (telnet) or secure backdoor (secbd) are disabled.

If Telnet backdoor is enabled (telnet ena), type in notacacs as a backdoor to bypass TACACS+ checking, and use the administrator password to log into the switch. The switch allows this even if TACACS+ servers are available.

If secure backdoor is enabled (secbd ena), type in notacacs as a backdoor to bypass TACACS+ checking, and use the administrator password to log into the switch. The switch allows this only if TACACS+ servers are not available.

Configuration Menu 95