TACACS+ Authentication

Configuring TACACS+ on the Switch

Name

Default

Range

 

 

 

[ key <key-string> ]

none (null)

n/a

Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to accessing TACACS+ servers for which you have not given the switch a “per-server” key. (See the host <ip-addr> [key <key-string>entry at the beginning of this table.)

For more on the encryption key, see “Using the Encryption Key” on page 4-23and the documentation provided with your TACACS+ server application.

timeout <1 - 255>

5 sec

1 - 255 sec

Specifies how long the switch waits for a TACACS+ server to respond to an authentication request. If the switch does not detect a response within the timeout period, it initiates a new request to the next TACACS+ server in the list. If all TACACS+ servers in the list fail to respond within the timeout period, the switch uses either local authentication (if configured) or denies access (if none configured for local authentication).

Adding, Removing, or Changing the Priority of a TACACS+ Server.

Suppose that the switch was already configured to use TACACS+ servers at 10.28.227.10 and 10.28.227.15. In this case, 10.28.227.15 was entered first, and so is listed as the first-choice server:

First-Choice TACACS+ Server

Figure 4-4. Example of the Switch with Two TACACS+ Server Addresses Configured

To move the “first-choice” status from the “15” server to the “10” server, use the no tacacs-server host <ip-addr>command to delete both servers, then use tacacs-server host <ip-addr>to re-enter the “10” server first, then the “15” server.

The servers would then be listed with the new “first-choice” server, that is:

4-18