Add a TACACS+ Server
Add a primary and secondary TACACS+ server and specify the authentication process.
If you have a backup server configured, the AAA request goes to the backup server if the primary server is not available.
As a best practice, use the Identity Engines Ignition server as your TACACS+ server.
About this task
-
Encryption key
-
Connection mode (single connection or per-session connection. Per-session connection is the same as multi-connection mode)
-
TCP port number
Procedure
Example
Switch:1>enable Switch:1#configure terminal Switch:1(config)#tacacs server host 192.0.2.1 key 1dt4ly Switch:1(config)#tacacs server secondary-host 198.51.100.2 key 1dt4ly Switch:1(config)#show tacacs Global Status: global enable : true authentication enabled for : cli accounting enabled for : none authorization : disabled User privilege levels set for command authorization : None Server: create : Prio Status Key Port IP address Timeout Single Source SourceEnabled Primary Conn ****** 49 192.0.2.1 10 false 0.0.0.0 false Backup NotConn ****** 49 198.51.100.2 10 false 0.0.0.0 false Switch:1(config)#no tacacs server host 192.0.2.1 Switch:1(config)#no tacacs server secondary-host 198.51.100.2
Variable Definitions
The following table defines parameters for the tacacs server host and the tacacs server secondary-host commands.
Variable |
Value |
---|---|
{A.B.C.D} |
Specifies the IP address of the TACACS+ server you want to add. Only IPv4 addresses are valid. |
key WORD <0-128> |
Configures the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server. If the key length is zero, that indicates no encryption is used. You must configure the same encryption key for the TACACS+ server and the switch. |
port <1-65535> |
Configures the TCP port, on which the client establishes a connection to the server. A value of 0 indicates the system specified default value is used. The default is 49. You must configure the same TCP port for the TACACS+ server and the switch. |
single-connection |
Specifies if the TCP connection between the device and the TACACS+ server is a single connection. If you specify the single connection parameter, the connection between the switch and the TACACS+ daemon remains open, which is more efficient because it allows the daemon to handle a higher number of TACACS+ operations. The single-connection is torn down if TACACS+ is disabled due to inactivity. If you do not configure this, the switch uses the default connection type, which is the multi-connection. With the multi-connection, the connection opens and closes each time the switch and TACACS+ daemon communicate. Note:
You must configure the same connection mode for the TACACS+ server and the switch. To enable single-connection, the TACACS+ daemon has to support this mode as well. |
source {A.B.C.D} Note:
Exception: only supported on VSP 8600 Series only. |
Designates a fixed source IP address for all outgoing TACACS+ packets, which is useful if the router has many interfaces and you want to make sure all TACACS+ packets from a certain router have the same IP address. If you do not configure an address, the system uses 0.0.0.0 as the default. Only IPv4 addresses are valid. Note:
If you configure a valid source IP address that is not 0.0.0.0 without enabling source-ip-interface, the source IP address returns to 0.0.0.0. |
source-ip-interface enable Note:
Exception: only supported on VSP 8600 Series only. |
Enables the source address. You must enable this parameter if you configure a valid source IP address. The default is disabled. |
timeout <10-30> |
Configures the maximum time, in seconds, to wait for this TACACS+ server to reply before it times out. The default value is 10 seconds. |