Client configuration for TACACS+ support

host

IP address (IPv4 or IPv6) or domain name or host name of the TACACS+ server. Host name requires prior DNS configuration. The maximum supported length for the host name is 40 characters.

port

The TCP port used to connect the TACACS+ server for authentication. The port range is 1 through 65535; the default port is 49.

protocol

The authentication protocol to be used. Options include CHAP and PAP. The default protocol is CHAP.

key

Specifies the text string that is used as the shared secret between the device and the TACACS+ server to make the message exchange secure. The key must be between 1 and 40 characters in length. The default key is sharedsecret. The exclamation mark (!) is supported both in RADIUS and TACACS+ servers, and you can specify the password in either double quotes or the escape character (\), for example "secret!key" or secret\!key. The only other valid characters are alphanumeric characters (such as a-z and 0-9) and underscores. No other special characters are allowed.

retries

The number of attempts permitted to connect to a TACACS+ server. The range is 0 through 100, and the default value is 5.

timeout

The maximum amount of time to wait for a server to respond. Options are from 1 through 60 seconds, and the default value is 5 seconds.

encryption-level

Whether the encryption key should be stored in clear-text or in encrypted format. Possible values are 0 or 7, where 0 represents store the key in clear-text format and 7 represents encrypted format. Default is 7 (encrypted format).

use-vrf

Specifies a VRF though which to communicate with the TACACS+ server.