TACACS+ Authentication

Configuring TACACS+ on the Switch

 

Using the Encryption Key

 

General Operation

 

When used, the encryption key (sometimes termed “key”, “secret key”, or

 

“secret”) helps to prevent unauthorized intruders on the network from reading

 

username and password information in TACACS+ packets moving between

 

the switch and a TACACS+ server. At the TACACS+ server, a key may include

 

both of the following:

 

Global key: A general key assignment in the TACACS+ server appli-

 

cation that applies to all TACACS-aware devices for which an indi-

 

vidual key has not been configured.

 

Server-Specific key: A unique key assignment in the TACACS+

 

server application that applies to a specific TACACS-aware device.

 

 

Note

Configure a key in the switch only if the TACACS+ server application has this

 

exact same key configured for the switch. That is, if the key parameter in

 

switch “X” does not exactly match the key setting for switch “X” in the

 

TACACS+ server application, then communication between the switch and

 

the TACACS+ server will fail.

 

Thus, on the TACACS+ server side, you have a choice as to how to implement

 

 

a key. On the switch side, it is necessary only to enter the key parameter so

 

that it exactly matches its counterpart in the server. For information on how

 

to configure a general or individual key in the TACACS+ server, refer to the

 

documentation you received with the application.

 

Encryption Options in the Switch

 

When configured, the encryption key causes the switch to encrypt the

 

TACACS+ packets it sends to the server. When left at “null”, the TACACS+

 

packets are sent in clear text. The encryption key (or just “key”) you configure

 

in the switch must be identical to the encryption key configured in the

 

corresponding TACACS+ server. If the key is the same for all TACACS+

 

servers the switch will use for authentication, then configure a global key in

 

the switch. If the key is different for one or more of these servers, use “server-

 

specific” keys in the switch. (If you configure both a global key and one or

 

more per-server keys, the per-server keys will override the global key for the

 

specified servers.)

4-23