Add a TACACS+ Server
Add a primary and secondary TACACS+ server and specify the authentication process.
If you have a backup server configured, the AAA request goes to the backup server if the primary server is not available.
As a best practice, use the Identity Engines Ignition server as your TACACS+ server.
About this task
-
Encryption key
-
Connection mode (single connection or per-session connection. Per-session connection is the same as multi-connection mode)
-
TCP port number
Procedure
Example
Switch:1>enable Switch:1#configure terminal Switch:1(config)#tacacs server host 192.0.2.1 key 1dt4ly Switch:1(config)#tacacs server secondary-host 198.51.100.2 key 1dt4ly Switch:1(config)#show tacacs Global Status: global enable : true authentication enabled for : cli accounting enabled for : none authorization : disabled User privilege levels set for command authorization : None Server: create : Prio Status Key Port IP address Timeout Single Source SourceEnabled Primary Conn ****** 49 192.0.2.1 10 false 0.0.0.0 false Backup NotConn ****** 49 198.51.100.2 10 false 0.0.0.0 false Switch:1(config)#no tacacs server host 192.0.2.1 Switch:1(config)#no tacacs server secondary-host 198.51.100.2
Variable Definitions
The following table defines parameters for the tacacs server host and the tacacs server secondary-host commands.
Variable |
Value |
---|---|
{A.B.C.D} |
Specifies the IP address of the TACACS+ server you want to add. Only IPv4 addresses are valid. |
key WORD <0-128> |
Configures the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server. If the key length is zero, that indicates no encryption is used. You must configure the same encryption key for the TACACS+ server and the switch. |
port <1-65535> |
Configures the TCP port, on which the client establishes a connection to the server. A value of 0 indicates the system specified default value is used. The default is 49. You must configure the same TCP port for the TACACS+ server and the switch. |
single-connection |
Specifies if the TCP connection between the device and the TACACS+ server is a single connection. If you specify the single connection parameter, the connection between the switch and the TACACS+ daemon remains open, which is more efficient because it allows the daemon to handle a higher number of TACACS+ operations. The single-connection is torn down if TACACS+ is disabled due to inactivity. If you do not configure this, the switch uses the default connection type, which is the multi-connection. With the multi-connection, the connection opens and closes each time the switch and TACACS+ daemon communicate. Note:
You must configure the same connection mode for the TACACS+ server and the switch. To enable single-connection, the TACACS+ daemon has to support this mode as well. |
source {A.B.C.D} Note:
Exception: only supported on VSP 8600 Series only. |
Designates a fixed source IP address for all outgoing TACACS+ packets, which is useful if the router has many interfaces and you want to make sure all TACACS+ packets from a certain router have the same IP address. If you do not configure an address, the system uses 0.0.0.0 as the default. Only IPv4 addresses are valid. Note:
If you configure a valid source IP address that is not 0.0.0.0 without enabling source-ip-interface, the source IP address returns to 0.0.0.0. |
source-ip-interface enable Note:
Exception: only supported on VSP 8600 Series only. |
Enables the source address. You must enable this parameter if you configure a valid source IP address. The default is disabled. |
timeout <10-30> |
Configures the maximum time, in seconds, to wait for this TACACS+ server to reply before it times out. The default value is 10 seconds. |
Job Aid
The following table describes the fields in the output for the show tacacs command.
Name |
Description |
---|---|
Global Status |
|
global enable |
Displays if the TACACS+ feature is enabled globally. |
authentication enabled for |
Displays which application is authenticated by TACACS+. The possibilities are CLI, web, or all. |
accounting enabled for |
Displays if accounting is enabled. You can only enable accounting for CLI. By default, accounting is not enabled. |
authorization |
Displays if authorization is enabled. |
User privilege levels set for command authorization |
Displays the privilege levels set for command authorization. When you configure command authorization for a particular level, all commands that you execute are sent to the TACACS+ server for authorization. The device can only execute the commands the TACACS+ server authorizes. The user privilege levels are:
|
Server |
|
Prio |
Displays the priority of the TACACS+ server. The switch attempts to use the primary server first, and the secondary server second. |
Status |
Displays the connection status between the server and the switch – connected or not connected. |
Key |
Displays as ****** instead of the actual key. The key is secret and is not visible. |
Port |
Displays the TCP port used to establish the connection to the server. The default port is 49. |
IP address |
Displays the IP address for the primary and secondary TACACS+ servers. |
Timeout |
Displays the period of time, in seconds, the switch waits for a response from the TACACS+ daemon before it times out and declares an error. The default is 10 seconds. |
Single |
Displays if a single open connection is maintained between the switch and TACACS+ daemon, or if the switch opens and closes the TCP connection to the TACACS+ daemon each time they communicate. The default is false, which means the device does not maintain the single open connection. |
Source Note:
Exception: only supported on VSP 8600 Series. |
Displays the fixed source IP address, if you configure one, for all outgoing TACACS+ packets. |
SourceEnabled Note:
Exception: only supported on VSP 8600 Series. |
Displays if the fixed source IP address is enabled for all outgoing TACACS+ packets. |