5-20
TACACS+ Authentication
Configuring TACACS+ on the Switch
Figure 5-6. Example of Configuring a Host-Specific Key
Use the show running-config command to display the key information.
• If there are two or more vacant slots in the TACACS+ server priority list and you enter a new IP address, the new
address will take the vacant slot with the highest priority. Thus, if A, B, and C are configured as above and you (1)
remove A and B, and (2) enter X and Y (in that order), then the new TACACS+ server priority list would be X, Y, and C.
• The easiest way to change the order of the TACACS+ servers in the priority list is to remove all server addresses in
the list and then re-enter them in order, with the new first-choice server address first, and so on.
To add a new address to the list when there are already three addresses present, you must first remove one of the currently
listed addresses.
See also “General Authentication Process Using a TACACS+ Server” on page 5-24.
key <key-string> none (null) n/a
Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access
for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to
accessing TACACS+ servers for which you have not given the switch a “per-server” key. (See the host <ip-addr> [key
<key-string> entry at the beginning of this table.)
You can configure a TACACS+ encryption key that includes a tilde (~) as part of the key, for example, “hp~network”. It is
not backward compatible; the “~” character is lost if you use a software version that does not support the “~” character
For more on the encryption key, see “Using the Encryption Key” on page 5-26 and the documentation provided with your
TACACS+ server application.
timeout <1 - 255> 5 sec 1 - 255 sec
Specifies how long the switch waits for a TACACS+ server to respond to an authentication request. If the switch does
not detect a response within the timeout period, it initiates a new request to the next TACACS+ server in the list. If all
TACACS+ servers in the list fail to respond within the timeout period, the switch uses either local authentication (if
configured) or denies access (if none configured for local authentication).
Name Default Range
HP Switch(config)# tacacs-server host 10.10.10.2 key hp~network
To Next Page
Loading...
Need help?
General
