tacacs-server

Configures a Terminal Access Controller Access-Control System plus (TACACS+) server.

Syntax

tacacs-server { host hostname }[ use-vrf vrf-name ] [ port portnum ] [ protocol { chap | pap } ] [ key shared_secret ] [ encryption-level value_level ] [ timeout secs ] [ retries num ] [ source-interface ip_address ]

no tacacs-server { host hostname } [ use-vrf vrf-name ] [ port portnum ] [ protocol { chap | pap}] [ key shared_secret ] [ encryption-level value-level ] [ timeout secs ] [ retries num ] [ source-interface ip_address ]

Command Default

Refer to the Parameters section for specific defaults.

Parameters

host hostname: Specifies the IP address or domain name of the TACACS+ server. IPv4 and IPv6 addresses are supported.
use-vrf vrf-name: Specifies a VRF though which to communicate with the TACACS+ server. See the Usage Guidelines.
source-interface ip_address: Specifies the source interface for the TACACS host.
port portnum: Specifies the TCP port for authentication. Valid values range from 0 through 65535. The default is 49.
protocol { chap | pap}: Specifies the authentication protocol. Options include CHAP and PAP. The default is CHAP.
key shared_secret: Specifies the text string that is used as the shared secret between the device and the TACACS+ server to make the message exchange secure. The key must be between 1 and 40 characters in length.; The default key is sharedsecret. The exclamation mark (!) is supported in RADIUS and TACACS+ servers. You can specify the password in either double quotes or the escape character (\), for example "secret!key" or secret\!key. The only other valid characters are alphanumeric characters (a-z and 0-9) and underscores. No other special characters are allowed.
encryption-level value_level: Designates the encryption level for the shared secret key operation. This operand supports JITC certification and compliance. The valid values are 0 and 7, with 0 being clear text and 7 being the most heavily encrypted. The default value is 7.
timeout secs: Specifies the time to wait for the TACACS+ server to respond. The default is 5 seconds.
retries num: Specifies the number of attempts allowed to connect to a TACACS+ server. The default is 5 attempts.

Modes

Global configuration mode

Usage Guidelines

If a TACACS+ server with the specified IP address or host name does not exist, it is added to the server list. If the TACACS+ server already exists, this command modifies the configuration. The key parameter does not support an empty string.

Executing the no form of the tacacs-server command attributes resets the specified attributes to their default values.

Before downgrading to a software version that does not support the encryption-level keyword, set the value of this keyword to 0. Otherwise, the firmware download will generate an error that requests this value be set to 0.

Before downgrading to a version that doesn‘t support tacacs-server source-interface, you must remove the source-ip configuration using no source-interface. Otherwise, the firmware download process generates an error requesting to reset the cipher.

By default, all management services are enabled on the management VRF ("mgmt-vrf") and the default VRF ("default-vrf").

If the encryption-level is zero (0) but the key entered is encrypted then the following error message is displayed: Error: Input key must be plain text when encryption-level selected is 0.

Examples

To configure an IPv4 TACACS+ server:

device# configure terminal
device(config)# tacacs-server host 10.24.65.6
device(config-host-10.24.65.6/mgmt-vrf)# tacacs-server source-ip chassis-ip
device(config-host-10.24.65.6/mgmt-vrf)# protocol chap retries 100
device(config-host-10.24.65.6/mgmt-vrf)#

To modify an existing TACACS+ server configuration:

device# configure terminal
device(config)# tacacs-server host 10.24.65.6 
device(config-tacacs-server-10.24.65.6/mgmt-vrf))# key "changedsec"

To delete a TACACS+ server:

device# configure terminal
device(config)# no tacacs-server host 10.24.65.6

To configure an IPv6 TACACS+ server:

device# configure terminal
device(config)# tacacs-server host fec0:60:69bc:94:211:25ff:fec4:6010  
device(config-tacacs-server-fec0:60:69bc:94:211:25ff:fec4:6010/mgmt-vrf)# protocol chap key "mysecret"
device(config-tacacs-server-fec0:60:69bc:94:211:25ff:fec4:6010/mgmt-vrf)#  tacacs-server source-ip chassis-ip
device(config-tacacs-server-fec0:60:69bc:94:211:25ff:fec4:6010/mgmt-vrf)#