TACACS+ configuration on the switch

The following section shows the steps required to configure TACACS+ on the switch.

The example displays how to:
  • Configure a key to be used by the TACACS+ server and the switch. In the example, the key is configured to the word secret.

  • Configure an IP address for the TACACS+ server. In the example the IP address for the primary server is 192.0.2.8, which is accessible by the Management Router VRF.

  • Configure the TACACS+ server to authenticate CLI sessions.

  • Enable TACACS+.

Switch

TACACS CONFIGURATION

tacacs server  host 192.0.2.8 key ******
tacacs protocol enable
tacacs accounting enable cli
tacacs authorization enable
tacacs authorization level 6

Verify your configuration

The show tacacs output must show as global enable: true to confirm TACACS is enabled.

The output for the show tacacs command must display the IP addresses for the TACACS+ Identity Engines Ignition Server. The IP addresses must be accessible to the Management Router VRF on the switch.

If you want to use the TACACS+ server to authenticate sessions in CLI, the output must display as authentication enabled for: cli. If you want to authenticate EDM sessions, the output must display as authentication enabled for: web.

Ensure the other parameters match what you have configured.

Global Status:

   global enable : true

   authentication enabled for : cli

   accounting enabled for : cli 

   authorization : enabled 
 
   User privilege levels set for command authorization : rwa 

Server:
	              create :

Prio      Status  Key         Port  IP address      Timeout Single Source          SourceEnabled 
Primary   Conn    ******      49    192.0.2.8       10      false  0.0.0.0         false