Add a TACACS+ Server

Add a primary and secondary TACACS+ server and specify the authentication process.

If you have a backup server configured, the AAA request goes to the backup server if the primary server is not available.

As a best practice, use the Identity Engines Ignition server as your TACACS+ server.

About this task

The TACACS+ server and the switch must have the same:
  • Encryption key

  • Connection mode (single connection or per-session connection. Per-session connection is the same as multi-connection mode)

  • TCP port number

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Add a primary TACACS+ server with an encryption key:

    tacacs server host {A.B.C.D} key WORD<0–128>

  3. Optional: Configure the parameters for the primary TACACS+ server as required.
    1. Optional: Specify a single connection to maintain a constant connection between the switch and the TACACS+ daemon:

      tacacs server host {A.B.C.D} single-connection

      Note

      Note

      The TACACS+ daemon must also support this mode. If you do not configure this, the switch uses the default connection type, which is the per-session connection. Per-session is the same as multi-connection mode.

    2. Optional: Specify the TCP port to use when the switch connects to the TACACS+ daemon:

      tacacs server host {A.B.C.D} port <1–65535>

      The default port is 49.

    3. Optional: Specify the period of time (in seconds) the switch waits for a response from the TACACS+ daemon before it times out and shows an error:

      tacacs server host {A.B.C.D} timeout <10–30>

    4. Optional: Designate a fixed source IP address for all outgoing TACACS+ packets and enable this option:

      tacacs server host {A.B.C.D} source {A.B.C.D}source-ip-interface enable

      Note

      Note

      This step applies to VSP 8600 Series only.

  4. Specify the IP address of the secondary TACACS+ server and specify an encryption key:

    tacacs server secondary-host {A.B.C.D} key WORD<0–128>

  5. Optional: Configure the optional parameters on the secondary TACACS+ server as required.
    1. Optional: Specify a single connection for the secondary TACACS+ server to maintain a constant connection between the switch and the TACACS+ daemon:

      tacacs server secondary-host {A.B.C.D} single-connection

      Note

      Note

      The TACACS+ daemon must also support this mode. If you do not configure this, the switch uses the default connection type, which is the per-session connection. Per-session is the same as multi-connection mode.

    2. Optional: Specify the TCP port to use when the switch connects to the TACACS+ daemon:

      tacacs server secondary-host {A.B.C.D} port <1–65535>

    3. Optional: Specify the period of time (in seconds) the switch waits for a response from the TACACS+ daemon before it times out and shows an error:

      tacacs server secondary-host {A.B.C.D} timeout<10–30>

    4. Optional: Designate a fixed source IP address for all outgoing TACACS+ packets and enable this option:

      tacacs server secondary-host {A.B.C.D} source {A.B.C.D} source-ip-interface enable

      Note

      Note

      This step applies to VSP 8600 Series only.

  6. Display the status of the TACACS+ configuration:

    show tacacs

  7. Optional: Delete a primary TACACS+ server:

    no tacacs server host{A.B.C.D} [single-connection][source source-ip-interface enable]

  8. Optional: Delete a backup TACACS+ server:

    no tacacs server secondary-host{A.B.C.D} [single-connection][source source-ip-interface enable]

  9. Optional: Configure a primary TACACS+ server or secondary TACACS+ server to the default settings:

    default tacacs server {A.B.C.D} [port][single-connection][source source-ip-interface enable][timeout]

Example

Configure the primary server with the IP address 192.0.2.1 and the encryption key 1dt41y. Configure the secondary server with the IP address 198.51.100.2 with the same encryption key 1dt41y. Display the configuration to ensure proper configuration.
Switch:1>enable
Switch:1#configure terminal
Switch:1(config)#tacacs server host 192.0.2.1 key 1dt4ly
Switch:1(config)#tacacs server secondary-host 198.51.100.2 key 1dt4ly
Switch:1(config)#show tacacs

Global Status:

   global enable : true

   authentication enabled for : cli 

   accounting enabled for : none 

   authorization : disabled

   User privilege levels set for command authorization : None

Server:
	              create :

Prio      Status  Key         Port  IP address      Timeout Single Source          SourceEnabled 
Primary   Conn    ******     49    192.0.2.1       10      false  0.0.0.0         false         
Backup    NotConn ******     49    198.51.100.2    10      false  0.0.0.0         false         


Switch:1(config)#no tacacs server host 192.0.2.1
Switch:1(config)#no tacacs server secondary-host 198.51.100.2

Variable Definitions

The following table defines parameters for the tacacs server host and the tacacs server secondary-host commands.

Variable

Value

{A.B.C.D}

Specifies the IP address of the TACACS+ server you want to add.

Only IPv4 addresses are valid.

key WORD <0-128>

Configures the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server. If the key length is zero, that indicates no encryption is used.

You must configure the same encryption key for the TACACS+ server and the switch.

port <1-65535>

Configures the TCP port, on which the client establishes a connection to the server. A value of 0 indicates the system specified default value is used. The default is 49.

You must configure the same TCP port for the TACACS+ server and the switch.

single-connection

Specifies if the TCP connection between the device and the TACACS+ server is a single connection. If you specify the single connection parameter, the connection between the switch and the TACACS+ daemon remains open, which is more efficient because it allows the daemon to handle a higher number of TACACS+ operations. The single-connection is torn down if TACACS+ is disabled due to inactivity.

If you do not configure this, the switch uses the default connection type, which is the multi-connection. With the multi-connection, the connection opens and closes each time the switch and TACACS+ daemon communicate.

Note:

You must configure the same connection mode for the TACACS+ server and the switch.

To enable single-connection, the TACACS+ daemon has to support this mode as well.

source {A.B.C.D}

Note:

Exception: only supported on VSP 8600 Series only.

Designates a fixed source IP address for all outgoing TACACS+ packets, which is useful if the router has many interfaces and you want to make sure all TACACS+ packets from a certain router have the same IP address.

If you do not configure an address, the system uses 0.0.0.0 as the default.

Only IPv4 addresses are valid.

Note:

If you configure a valid source IP address that is not 0.0.0.0 without enabling source-ip-interface, the source IP address returns to 0.0.0.0.

source-ip-interface enable

Note:

Exception: only supported on VSP 8600 Series only.

Enables the source address. You must enable this parameter if you configure a valid source IP address. The default is disabled.

timeout <10-30>

Configures the maximum time, in seconds, to wait for this TACACS+ server to reply before it times out. The default value is 10 seconds.