Add a TACACS+ Server
Add a TACACS+ server, configure the TACACS+ server, and specify the authentication process.
If you have a secondary server configured, the AAA request goes to the backup server if the primary server is not available.
As a best practice, use the Identity Engines Ignition Server as your TACACS+ server.
Before you begin
You must have access to and you must configure a TACACS+ server before the TACACS+ features on your switch are available.
About this task
Encryption key
Connection mode (single connection or per-session connection. Per-session is the same as multi-connection mode.)
TCP port number
Procedure
TACACS+ Servers field descriptions
Use the data in the following table to use the TACACS+ Servers tab.
Name |
Description |
---|---|
AddressType |
Specifies the type of IP address to use on the TACACS+ server. You must set the value to IPv4. |
Address |
Specifies the IP address of the TACACS+ server. |
PortNumber |
Configures the TCP port on which the client establishes a connection to the server. The default is 49. A value of 0 indicates that the system specified default value is used. You must configure the same TCP port for the TACACS+ server and the switch. |
ConnectionType |
Specifies if the TCP connection between the device and the TACACS+ server is a single connection. If you specify the single connection parameter, the connection between the switch and the TACACS+ daemon remains open, which is more efficient because it allows the daemon to handle a higher number of TACACS+ operations. The single-connection session is torn down if TACACS+ is disabled due to inactivity. If you do not configure this parameter, the switch uses the default connection type, which is the multi-connection. With the multi-connection, the connection opens and closes each time the switch and TACACS+ daemon communicate. Note:
You must configure the same connection mode for the TACACS+ server and the switch. To enable single-connection, the TACACS+ daemon has to support this mode as well. |
ConnectionStatus |
Specifies if the TCP connection between the device and TACACS+ server is connected or not connected. |
Timeout |
Configures the maximum time, in seconds, to wait for this TACACS+ server to reply before it times out. The default value is 10 seconds. |
Key |
Configures the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server. If the key length is zero, that indicates no encryption is used. You must configure the same encryption key for the TACACS+ server and the switch. |
SourceIpInterfaceEnabled Note:
Exception: only supported on VSP 8600 Series |
Enables the source address specification. If SourceIpInterfaceEnabled is true (the check box is selected), and you change SourceIpInterfaceEnabled to false (the check box is cleared), the SourceIpInterface is reset to 0.0.0.0. The default is disabled. You must enable this parameter if you configure a valid source IP address |
SourceIpInterfaceType Note:
Exception: only supported on VSP 8600 Series |
Specifies the type of IP address to use on the interface that connects to the TACACS+ server. Note:
You must set the value to IPv4. |
SourceIpInterface Note:
Exception: only supported on VSP 8600 Series |
Designates a fixed source IP address for all outgoing TACACS+ packets, which is useful if the router has many interfaces and you want to make sure all TACACS+ packets from a certain router have the same IP address. If you do not configure an address, the system uses 0.0.0.0 as the default. Only IPv4 addresses are valid. Note:
If you configure a valid source IP address that is not 0.0.0.0 without enabling source-ip-interface, the source IP address returns to 0.0.0.0. |
Priority |
Determines the order in which the switch uses the TACACS+ servers, where 1 is the highest priority. The priority values are primary and backup. If more than one server shares the same priority, the device uses the servers in the order they exist in the table. |