TACACS+
Fixed Switch Configuration Guide 26-13
Configuring the Source Address
You can configure the source IP address used by the TACACS+ application on the switch when
generating packets for management purposes. Any of the management interfaces, including
VLAN routing interfaces, can be configured as the source IP address used in packets generated by
the TACACS+ client.
An interface must have an IP address assigned to it before it can be set as the TACACS+ source.
If no interface is specified, then the IP address of the Host interface will be used.
If a non-loopback interface is configured as the source, application packet egress is restricted to
that interface if the server can be reached from that interface. Otherwise, the packets are
transmitted over the first available route. Packets from the application server are received on the
configured interface.
If a loopback interface is configured, and there are multiple paths to the application server, the
outgoing interface (gateway) is determined based on the best route lookup. Packets from the
application server are then received on the sending interface. If route redundancy is required,
therefore, a loopback interface should be configured.
Default Settings
Table 26-7 lists the TACACS+ parameters (as displayed through the show tacacs command) and
their default values.
Table 26-7 TACACS+ Parameters
Parameter Description Default Value
TACACS+ state Whether the TACACS+ client is enabled or disabled. Disabled
TACACS+ service The name of the service that is requested by the
TACACS+ client for session authorization.
exec
TACACS+ session
authorization A-V
pairs
The attribute-value pairs that are mapped to the
A4read-only, read-write, and super-user access
privilege levels for the service requested for session
authorization.
read-only: “priv-lvl”, 0
read-write: “priv-lvl”, 1
super-user: “priv-lvl”, 15
TACACS+ session
accounting state
The TACACS+ client sends session accounting
information, such as start and stop times, to a TACACS+
server for logging.
Disabled
TACACS+ command
authorization state
The TACACS+ client checks with a TACACS+ server
whether each command is permitted for that authorized
session.
Disabled
TACACS+ command
accounting state
The TACACS+ client sends command accounting
information, such as the command string and IP address
of the remote user, to a TACACS+ server for logging.
Disabled
TACACS+
singleconnect state
The TACACS+ client sends multiple requests to a
TACACS+ server over a single TCP connection.
Disabled
TACACS+ Server
Timeout
The period of time (in seconds) the device A4waits for a
response from the TACACS+ server before it times out
and declares an error.
10 seconds
To Next Page
Loading...
Need help?
General