TACACS+ Authentication
Configuring TACACS+ on the Switch
Name Default Range
key <key-string> none (null) n/a
Specifies the optional, global “encryption key” that is also assigned in the TACACS+ server(s) that the switch will access
for authentication. This option is subordinate to any “per-server” encryption keys you assign, and applies only to
accessing TACACS+ servers for which you have not given the switch a “per-server” key. (See the host <ip-addr> [key
<key-string> entry at the beginning of this table.)
For more on the encryption key, see “Using the Encryption Key” on page 5-23 and the documentation provided with your
TACACS+ server application.
timeout <1 - 255> 5 sec 1 - 255 sec
Specifies how long the switch waits for a TACACS+ server to respond to an authentication request. If the switch does
not detect a response within the timeout period, it initiates a new request to the next TACACS+ server in the list. If all
TACACS+ servers in the list fail to respond within the timeout period, the switch uses either local authentication (if
configured) or denies access (if none configured for local authentication).
Adding, Removing, or Changing the Priority of a TACACS+ Server.
Suppose that the switch was already configured to use TACACS+ servers at
10.28.227.10 and 10.28.227.15. In this case, 10.28.227.15 was entered first, and
so is listed as the first-choice server:
First-Choice TACACS+ Server
Figure 5-4. Example of the Switch with Two TACACS+ Server Addresses Configured
To move the “first-choice” status from the “15” server to the “10” server, use
the
no tacacs-server host <ip-addr> command to delete both servers, then use
tacacs-server host <ip-addr> to re-enter the “10” server first, then the “15” server.
The servers would then be listed with the new “first-choice” server, that is:
5-18
To Next Page
Loading...
