EX2500 Ethernet Switch Configuration Guide
16 Securing Access to the Switch
Command Authorization and Logging
When TACACS+ Command Authorization is enabled, EX2500 configuration
commands are sent to the TACACS+ server for authorization. Use the following
command to enable TACACS+ Command Authorization:
ex2500(config)# tacacs-server command-authorization
When TACACS+ Command Logging is enabled, EX2500 configuration commands
are logged on the TACACS+ server. Use the following command to enable
TACACS+ Command Logging:
ex2500(config)# tacacs-server command-logging
The following examples illustrate the format of EX2500 commands sent to the
TACACS+ server:
authorization request, cmd=shell, cmd-arg=interface ip
accounting request, cmd=shell, cmd-arg=interface ip
authorization request, cmd=shell, cmd-arg=enable
accounting request, cmd=shell, cmd-arg=enable
Configuring TACACS+ Authentication on the Switch
1. Configure the Primary and Secondary TACACS+ servers, and enable TACACS
authentication.
ex2500(config)# tacacs-server primary-host 10.10.1.1
ex2500(config)# tacacs-server secondary-host 10.10.1.2
ex2500(config)# tacacs-server enable
2. Configure the TACACS+ secret and second secret.
ex2500(config)# tacacs-server primary-host 10.10.1.1 key <1-32 character
secret>
ex2500(config)# tacacs-server secondary-host 10.10.1.2 key <1-32 character
secret>
3. If desired, you may change the default TCP port number used to listen to
TACACS+. The well-known port for TACACS+ is 49.
ex2500(config)# tacacs-server port <TCP port number>
4. Configure the number of retry attempts and the timeout period.
ex2500(config)# tacacs-server retransmit 3
ex2500(config)# tacacs-server timeout 5
NOTE: When you are using the EX2500 Web Device Manager, the TACACS+
Accounting Stop records are sent only if the Logout button on the browser is
clicked.
To Next Page
Loading...
Need help?
General
