Extreme Networks ExtremeWare XOS Guide - Configuring the Tacacs+ Servers; Default Chapter; Configuring the Shared Secret Password for TACACS+ Servers; Configuring the TACACS+ Timeout Value

To Next Page

To Previous Page

Authenticating Users Using RADIUS or TACACS+

ExtremeWare XOS 11.3 Concepts Guide

331

This section describes the following topics:

● Configuring the TACACS+ Servers on page 331

● Configuring the TACACS+ Timeout Value on page 331

● Configuring the Shared Secret Password for TACACS+ Servers on page 331

● Enabling and Disabling TACACS+ on page 332

● TACACS+ Configuration Example on page 332

● Configuring TACACS+ Accounting on page 333

● Configuring the TACACS+ Accounting Timeout Value on page 333

● Configuring the Shared Secret Password for TACACS+ Accounting Servers on page 333

● Enabling and Disabling TACACS+ Accounting on page 334

● TACACS+ Accounting Configuration Example on page 334

Configuring the TACACS+ Servers

To configure the TACACS+ servers, use the following command:

configure tacacs [primary | secondary] server [<ipaddress> | <hostname>] {<tcp_port>}

client-ip <ipaddress> {vr <vr_name>}

To configure the primary TACACS+ server, specify primary. To configure the secondary TACACS+

server, specify

secondary.

Configuring the TACACS+ Timeout Value

To configure the timeout if a server fails to respond, use the following command:

configure tacacs timeout <seconds>

To detect and recover from a TACACS+ server failure when the timeout has expired, the switch makes

one authentication attempt before trying the next designated TACACS+ server or reverting to the local

database for authentication. In the event that the switch still has IP connectivity to the TACACS+ server,

but a TCP session cannot be established, (such as a failed TACACS+ daemon on the server), fail over

happens immediately regardless of the configured timeout value.

For example, if the timeout value is set for 3 seconds (the default value), it will take 3 seconds to fail

over from the primary TACACS+ server to the secondary TACACS+ server. If both the primary and the

secondary servers fail or are unavailable, it takes approximately 6 seconds to revert to the local database

for authentication.

Configuring the Shared Secret Password for TACACS+ Servers

In addition to specifying the TACACS+ server IP information, TACACS+ also contains a means to verify

communication between network devices and the server. The shared secret is a password configured on

the network device and TACACS+ server, used by each to verify communication.

To configure the shared secret for TACACS+ servers, use the following command:

configure tacacs [primary | secondary] shared-secret {encrypted} <string>

To configure the primary TACACS+ server, specify primary. To configure the secondary TACACS+

server, specify

secondary.

Related product manuals