9-21Using Passwords and TACACS+ To Protect Against Una uthorized Access
TACACS+ Authentication for Cent ral Control of Switch Access S ecurity
Using Passwords and
TACACS+
Name Default Range
host <ip-addr> [key <key-string>none n/a
Specifies the IP address of a device runn ing a TACACS+ server application. Optionally, can also speci fy the unique, per-
server encryption key to use when each assigned server has it s own, unique key. For more on the encryption key, see
“Using the Encryption Key” on page 26 and the documentation provided with your TACACS+ server application.
You can enter up to three IP addresses; one first-choice and two (o ptional) backups (one second-choice and one thi rd-
choice).
Use show tacacs to view the current IP address list.
If the first-choice TACACS+ server fails to respond to a request, the switch tries the second ad dress, if any, in the show
tacacs list. If the second address also fails, then the swi tch tries the third address, if any.
(See figure 9-6, "Example of the Switch’s TACACS+ Configurat ion Listing" on page 15.)
The priority (first-choice, second-choic e, and third-choice) of a TACACS+ server in the switch’s TACACS+ configuration
depends on the order in which you enter the server IP addresses:
1.When there are no TACACS+ servers configured, entering a serv er IP address makes that server the first-choic e
TACACS+ server.
2.When there is one TACACS+ serves already configured, entering an other server IP address makes that server the
second-choice (backup) TACACS+ server.
3.When there are two TACACS+ servers already configured, enterin g another server IP address makes that server
the third-choice (backup) TACACS+ server.
•The above position assignments are fixed. Thus, if you remove one server a nd replace it with another, the new server
assumes the priority position that the removed server had. For example, suppose you configured three servers, A, B,
and C, configured in order:
First-Choice: A
Second-Choice: B
Third-Choice: C
•If you removed server B and then entered server X, the TACACS+ server order of prior ity would be:
First-Choice: A
Second-Choice: X
Third-Choice: C
•If there are two or more vacant slots in the TACACS+ server priority list and you enter a new IP address, the new
address will take the vacant slot wit h the highest priority. Thus, if A, B, and C are configured as above and you (1)
remove A and B, and (2) enter X and Y (in that order), then the new TACACS+ server priority list would be X, Y, and C.
•The easiest way to change the order of the TACACS+ servers in the priority lis t is to remove all server addresses in
the list and then re-enter them in order, with the new first-choice server ad dress first, and so on.
To add a new address to the list when there are already three addresses present, you must first remove one of the
currently listed addresses.
See also “General Authentication Proc ess Using a TACACS+ Server” on page 24.
Name Default Range
key <key-string>none (null) n/a
Specifies the optional, global "encr yption key" that is also assigned in th e TACACS+ server(s) that the switch will access
for authentication. This option is subordinate to any "per-server" encryption keys you assign, and applies only to accessing
TACACS+ servers for which you have not given the switch a "per-server" key. (See the host <ip-addr> [key <key-string>
entry at the beginning of this t able.)
For more on the encryption key, see “Using the Encryption Key” on page 26 and the documentation provided with your
TACACS+ server application.