The following section shows the steps required to configure TACACS+ on the switch.
Configure a key to be used by the TACACS+ server and the switch. In the example, the key is configured to the word secret.
Configure an IP address for the TACACS+ server. In the example the IP address for the primary server is 192.0.2.8, which is accessible by the Management Router VRF.
Configure the TACACS+ server to authenticate CLI sessions.
Enable TACACS+.
TACACS CONFIGURATION tacacs server host 192.0.2.8 key ****** tacacs protocol enable tacacs accounting enable cli tacacs authorization enable tacacs authorization level 6
The show tacacs output must show as global enable: true to confirm TACACS is enabled.
The output for the show tacacs command must display the IP addresses for the TACACS+ server. The IP addresses must be accessible to the Management Router VRF on the switch.
If you want to use the TACACS+ server to authenticate sessions in CLI, the output must display as authentication enabled for: cli. If you want to authenticate EDM sessions, the output must display as authentication enabled for: web.
Ensure the other parameters match what you have configured.
Global Status: global enable : true authentication enabled for : cli accounting enabled for : cli authorization : enabled User privilege levels set for command authorization : rwa Server: create : Prio Status Key Port IP address Timeout Single Source SourceEnabled Primary Conn ****** 49 192.0.2.8 10 false 0.0.0.0 false