Add a TACACS+ Server

Add a TACACS+ server, configure the TACACS+ server, and specify the authentication process.

If you have a secondary server configured, the AAA request goes to the backup server if the primary server is not available.

As a best practice, use the Identity Engines Ignition Server as your TACACS+ server.

Before you begin

You must have access to and you must configure a TACACS+ server before the TACACS+ features on your switch are available.

About this task

The TACACS+ server and the switch must have the same:

Encryption key
Connection mode (single connection or per-session connection. Per-session is the same as multi-connection mode.)
TCP port number

Procedure

In the navigation pane, expand Configuration > Security > Control Path.
Select TACACS+.
Select the TACACS+ Servers tab.
Select Insert.
In the AddressType box, select ipv4.
In the Address field, type the IP address of the TACACS+ server.
Optional: In the PortNumber field, type the TCP port on which the client establishes a connection to the TACACS+ server.
Optional: In the ConnectionType box, select either singleConnection or perSessionConnection to specify the TCP connection type between the switch and TACACS+ server.
Optional: In the Timeout field, type the period of time (in seconds) the switch waits for a response from the TACACS+ server.
In the Key field, enter the key that the switch and the TACACS+ server share.
Optional: Select SourceIpInterfaceEnabled, if you want to enable the switch to designate a fixed source IP address for all outgoing TACACS+ packets.

Note

This step applies to VSP 8600 Series only.
In the SourceIPInterfaceType box, select ipv4.

Note

This step applies to VSP 8600 Series only.
Optional: In the SourceIpInterface field, type a fixed source IP address if you want to designate a fixed source IP address for all outgoing TACACS+ packets.

Note

This step applies to VSP 8600 Series only.
In the Priority box, select either primary or backup to determine the order the switch uses the TACACS+ servers.
Select Insert.

TACACS+ Servers field descriptions

Use the data in the following table to use the TACACS+ Servers tab.


Name	Description
AddressType	Specifies the type of IP address to use on the TACACS+ server. You must set the value to IPv4.
Address	Specifies the IP address of the TACACS+ server.
PortNumber	Configures the TCP port on which the client establishes a connection to the server. The default is 49. A value of 0 indicates that the system specified default value is used. You must configure the same TCP port for the TACACS+ server and the switch.
ConnectionType	Specifies if the TCP connection between the device and the TACACS+ server is a single connection. If you specify the single connection parameter, the connection between the switch and the TACACS+ daemon remains open, which is more efficient because it allows the daemon to handle a higher number of TACACS+ operations. The single-connection session is torn down if TACACS+ is disabled due to inactivity. If you do not configure this parameter, the switch uses the default connection type, which is the multi-connection. With the multi-connection, the connection opens and closes each time the switch and TACACS+ daemon communicate. Note: You must configure the same connection mode for the TACACS+ server and the switch. To enable single-connection, the TACACS+ daemon has to support this mode as well.
ConnectionStatus	Specifies if the TCP connection between the device and TACACS+ server is connected or not connected.
Timeout	Configures the maximum time, in seconds, to wait for this TACACS+ server to reply before it times out. The default value is 10 seconds.
Key	Configures the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server. If the key length is zero, that indicates no encryption is used. You must configure the same encryption key for the TACACS+ server and the switch.
SourceIpInterfaceEnabled Note: Exception: only supported on VSP 8600 Series	Enables the source address specification. If SourceIpInterfaceEnabled is true (the check box is selected), and you change SourceIpInterfaceEnabled to false (the check box is cleared), the SourceIpInterface is reset to 0.0.0.0. The default is disabled. You must enable this parameter if you configure a valid source IP address
SourceIpInterfaceType Note: Exception: only supported on VSP 8600 Series	Specifies the type of IP address to use on the interface that connects to the TACACS+ server. Note: You must set the value to IPv4.
SourceIpInterface Note: Exception: only supported on VSP 8600 Series	Designates a fixed source IP address for all outgoing TACACS+ packets, which is useful if the router has many interfaces and you want to make sure all TACACS+ packets from a certain router have the same IP address. If you do not configure an address, the system uses 0.0.0.0 as the default. Only IPv4 addresses are valid. Note: If you configure a valid source IP address that is not 0.0.0.0 without enabling source-ip-interface, the source IP address returns to 0.0.0.0.
Priority	Determines the order in which the switch uses the TACACS+ servers, where 1 is the highest priority. The priority values are primary and backup. If more than one server shares the same priority, the device uses the servers in the order they exist in the table.