Add a TACACS+ Server

Add a primary and secondary TACACS+ server and specify the authentication process.

If you have a backup server configured, the AAA request goes to the backup server if the primary server is not available.

As a best practice, use the Identity Engines Ignition server as your TACACS+ server.

About this task

The TACACS+ server and the switch must have the same:
  • Encryption key

  • Connection mode (single connection or per-session connection. Per-session connection is the same as multi-connection mode)

  • TCP port number

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Add a primary TACACS+ server with an encryption key:

    tacacs server host {A.B.C.D} key WORD<0–128>

  3. Optional: Configure the parameters for the primary TACACS+ server as required.
    1. Optional: Specify a single connection to maintain a constant connection between the switch and the TACACS+ daemon:

      tacacs server host {A.B.C.D} single-connection

      Note

      Note

      The TACACS+ daemon must also support this mode. If you do not configure this, the switch uses the default connection type, which is the per-session connection. Per-session is the same as multi-connection mode.

    2. Optional: Specify the TCP port to use when the switch connects to the TACACS+ daemon:

      tacacs server host {A.B.C.D} port <1–65535>

      The default port is 49.

    3. Optional: Specify the period of time (in seconds) the switch waits for a response from the TACACS+ daemon before it times out and shows an error:

      tacacs server host {A.B.C.D} timeout <10–30>

    4. Optional: Designate a fixed source IP address for all outgoing TACACS+ packets and enable this option:

      tacacs server host {A.B.C.D} source {A.B.C.D}source-ip-interface enable

      Note

      Note

      This step applies to VSP 8600 Series only.

  4. Specify the IP address of the secondary TACACS+ server and specify an encryption key:

    tacacs server secondary-host {A.B.C.D} key WORD<0–128>

  5. Optional: Configure the optional parameters on the secondary TACACS+ server as required.
    1. Optional: Specify a single connection for the secondary TACACS+ server to maintain a constant connection between the switch and the TACACS+ daemon:

      tacacs server secondary-host {A.B.C.D} single-connection

      Note

      Note

      The TACACS+ daemon must also support this mode. If you do not configure this, the switch uses the default connection type, which is the per-session connection. Per-session is the same as multi-connection mode.

    2. Optional: Specify the TCP port to use when the switch connects to the TACACS+ daemon:

      tacacs server secondary-host {A.B.C.D} port <1–65535>

    3. Optional: Specify the period of time (in seconds) the switch waits for a response from the TACACS+ daemon before it times out and shows an error:

      tacacs server secondary-host {A.B.C.D} timeout<10–30>

    4. Optional: Designate a fixed source IP address for all outgoing TACACS+ packets and enable this option:

      tacacs server secondary-host {A.B.C.D} source {A.B.C.D} source-ip-interface enable

      Note

      Note

      This step applies to VSP 8600 Series only.

  6. Display the status of the TACACS+ configuration:

    show tacacs

  7. Optional: Delete a primary TACACS+ server:

    no tacacs server host{A.B.C.D} [single-connection][source source-ip-interface enable]

  8. Optional: Delete a backup TACACS+ server:

    no tacacs server secondary-host{A.B.C.D} [single-connection][source source-ip-interface enable]

  9. Optional: Configure a primary TACACS+ server or secondary TACACS+ server to the default settings:

    default tacacs server {A.B.C.D} [port][single-connection][source source-ip-interface enable][timeout]

Example

Configure the primary server with the IP address 192.0.2.1 and the encryption key 1dt41y. Configure the secondary server with the IP address 198.51.100.2 with the same encryption key 1dt41y. Display the configuration to ensure proper configuration.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#tacacs server host 192.0.2.1 key 1dt4ly
Switch:1(config)#tacacs server secondary-host 198.51.100.2 key 1dt4ly
Switch:1(config)#show tacacs

Global Status:

   global enable : true

   authentication enabled for : cli 

   accounting enabled for : none 

   authorization : disabled

   User privilege levels set for command authorization : None

Server:
	              create :

Prio      Status  Key         Port  IP address      Timeout Single Source          SourceEnabled 
Primary   Conn    ******     49    192.0.2.1       10      false  0.0.0.0         false         
Backup    NotConn ******     49    198.51.100.2    10      false  0.0.0.0         false         


Switch:1(config)#no tacacs server host 192.0.2.1
Switch:1(config)#no tacacs server secondary-host 198.51.100.2

Variable Definitions

The following table defines parameters for the tacacs server host and the tacacs server secondary-host commands.

Variable

Value

{A.B.C.D}

Specifies the IP address of the TACACS+ server you want to add.

Only IPv4 addresses are valid.

key WORD <0-128>

Configures the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server. If the key length is zero, that indicates no encryption is used.

You must configure the same encryption key for the TACACS+ server and the switch.

port <1-65535>

Configures the TCP port, on which the client establishes a connection to the server. A value of 0 indicates the system specified default value is used. The default is 49.

You must configure the same TCP port for the TACACS+ server and the switch.

single-connection

Specifies if the TCP connection between the device and the TACACS+ server is a single connection. If you specify the single connection parameter, the connection between the switch and the TACACS+ daemon remains open, which is more efficient because it allows the daemon to handle a higher number of TACACS+ operations. The single-connection is torn down if TACACS+ is disabled due to inactivity.

If you do not configure this, the switch uses the default connection type, which is the multi-connection. With the multi-connection, the connection opens and closes each time the switch and TACACS+ daemon communicate.

Note:

You must configure the same connection mode for the TACACS+ server and the switch.

To enable single-connection, the TACACS+ daemon has to support this mode as well.

source {A.B.C.D}

Note:

Exception: only supported on VSP 8600 Series only.

Designates a fixed source IP address for all outgoing TACACS+ packets, which is useful if the router has many interfaces and you want to make sure all TACACS+ packets from a certain router have the same IP address.

If you do not configure an address, the system uses 0.0.0.0 as the default.

Only IPv4 addresses are valid.

Note:

If you configure a valid source IP address that is not 0.0.0.0 without enabling source-ip-interface, the source IP address returns to 0.0.0.0.

source-ip-interface enable

Note:

Exception: only supported on VSP 8600 Series only.

Enables the source address. You must enable this parameter if you configure a valid source IP address. The default is disabled.

timeout <10-30>

Configures the maximum time, in seconds, to wait for this TACACS+ server to reply before it times out. The default value is 10 seconds.

Job Aid

The following table describes the fields in the output for the show tacacs command.

Name

Description

Global Status

global enable

Displays if the TACACS+ feature is enabled globally.

authentication enabled for

Displays which application is authenticated by TACACS+. The possibilities are CLI, web, or all.

accounting enabled for

Displays if accounting is enabled. You can only enable accounting for CLI. By default, accounting is not enabled.

authorization

Displays if authorization is enabled.

User privilege levels set for command authorization

Displays the privilege levels set for command authorization. When you configure command authorization for a particular level, all commands that you execute are sent to the TACACS+ server for authorization. The device can only execute the commands the TACACS+ server authorizes.

The user privilege levels are:

  • 0: denied access

  • 1: read only (ro) access

  • 2: Layer 1 read and write (l1) access

  • 3: Layer 2 read and write (l2) access

  • 4: Layer 3 read and write (l3) access

  • 5: read and write (rw) access

  • 6: read and write all (rwa) access

  • 7-14: denied access

  • 15: read and write all (rwa) access

Server

Prio

Displays the priority of the TACACS+ server. The switch attempts to use the primary server first, and the secondary server second.

Status

Displays the connection status between the server and the switch – connected or not connected.

Key

Displays as ****** instead of the actual key. The key is secret and is not visible.

Port

Displays the TCP port used to establish the connection to the server. The default port is 49.

IP address

Displays the IP address for the primary and secondary TACACS+ servers.

Timeout

Displays the period of time, in seconds, the switch waits for a response from the TACACS+ daemon before it times out and declares an error. The default is 10 seconds.

Single

Displays if a single open connection is maintained between the switch and TACACS+ daemon, or if the switch opens and closes the TCP connection to the TACACS+ daemon each time they communicate. The default is false, which means the device does not maintain the single open connection.

Source

Note:

Exception: only supported on VSP 8600 Series.

Displays the fixed source IP address, if you configure one, for all outgoing TACACS+ packets.

SourceEnabled

Note:

Exception: only supported on VSP 8600 Series.

Displays if the fixed source IP address is enabled for all outgoing TACACS+ packets.