Commands For Tacacs

9.6 Commands for TACACS+

9.6.1 tacacs-server authentication host

Command: tacacs-server authentication host <ip-address> [port <port-number>] [timeout <seconds>] [key {0 | 7} <string>] [primary] no tacacs-server authentication host <ip-address>
Function: Configure the IP address, listening port number, timeout timer value, and the key string of the TACACS+ server. The no command deletes the TACACS+ authentication server.
Parameter:

  • <ip-address>: IP address of the server.
  • <port-number>: listening port number of the server. The valid range is 0 to 65535. A 0 value identifies that it will not be an authentication server.
  • <seconds>: value of TACACS+ authentication timeout timer. The valid value is seconds and the valid range is 1 to 60.
  • <string>: key string. If key option is set to 0, the key is not encrypted and its range should not exceed 64 characters. If key option is set to 7, the key is encrypted and its range should not exceed 64 characters.
  • primary: primary server.

Command mode: Global Mode
Default: No TACACS+ authentication configured on the system.
Usage guide: This command specifies the IP address, port number, timeout timer value, and the key string of the TACACS+ server used to authenticate the switch. ?The parameter port defines an authentication port number which must match the authentication port number of the specified TACACS+ server (which is 49). The parameters key and timeout is used to configure the self-key and self-timeout. If the values timeout<seconds> and key<string> are not configured, the global value and key by command tacacs-server timeout<seconds> and tacacs-server key <string> will be used. This command can configure several TACACS+ servers to communicate with the switch. The configuration sequence will be used as the authentication server sequence. If primary is configured on one TACACS+ server, the server will be the primary server.
Example: Configure the TACACS+ authentication server address to 192.168.1.2, and use the global configured key.

active500EM(config)#tacacs-server authentication host 192.168.1.2

 

9.6.2 tacacs-server key

Command: tacacs-server key {0 | 7} <string>
no tacacs-server key
Function: Configure the?TACACS+ authentication server key. The no command deletes the TACACS+ server key.
Parameter:

  • <string>: key string of the TACACS+ server. If the key option is set to 0, the key is not encrypted and its range should not exceed 64 characters. If the key option is set to 7, the key is encrypted and its range should not exceed 64 characters.

Command mode: Global Mode
Default: None.
Usage guide: The key is used on encrypted packet communication between the switch and the TACACS+ server. The configured key must match a key on the TACACS+ server or else no correct TACACS+ authentication will be performed. Configure the authentication server key to ensure the data security.
Example: Configure “test” as the TACACS+ server authentication key.

active500EM(config)#tacacs-server key 0 test

 

9.6.3 tacacs-server nas-ipv4

Command: tacacs-server nas-ipv4 <ip-address>
no tacacs-server nas-ipv4
Function: Configure the TACACS+ packet source IP address sent by the switch. The no command deletes the configuration.
Parameter:

  • <ip-address>: TACACS+ packet source IP address. The valid value is dotted decimal notation format. It must be a valid unicast IP address.

Command mode: Global Mode
Default: No specific source IP address for TACACS+ packet is configured. The IP address of the interface from which the TACACS+ packets are sent is used as the source IP address of the TACACS+ packet.
Usage guide: The source IP address must belong to one of the IP interfaces on the switch. Otherwise a binding IP address failure message will display when the switch sends the TACACS+ packet. Use the loopback interface IP address as the source IP address to avoid packets from the TACACS+ server to be dropped when the interface link is down.
Example: Configure the TACACS+ packet source?IP address to 192.168.2.254.

active500EM#tacacs-server nas-ipv4 192.168.2.254

 

9.6.4 tacacs-server timeout

Command: tacacs-server timeout <seconds>
no tacacs-server timeout
Function: Configure a TACACS+ server authentication timeout timer. The no command restores the default configuration.
Parameter:

  • <seconds>: value of TACACS+ authentication timeout timer. The valid value is seconds and the valid range is 1 to 60.

Command mode: Global Mode
Default: 3 seconds.
Usage guide: The command specifies the period the switch waits for authentication through the TACACS+ server. When connected to the TACACS+, and after the authentication query data packet is sent to the TACACS+ server, the switch waits for the response. If no response is received during the specified period, the authentication fails.
Example: Configure the timeout timer of the tacacs+ server to 30 seconds.

active500EM(config)#tacacs-server timeout 30

 

9.6.5 debug tacacs-server

Command: debug tacacs-server
no debug tacacs-server
Function: Open the debug message of the TACACS+. The no command closes the TACACS+ debugging messages.
Parameter: None.
Command mode: Admin Mode
Default: None.
Usage guide: Enable TACACS+ debug messages in order to check the negotiation process of the TACACS+ protocol. This command can assist when detecting failures.
Example: Enable TACACS+ protocol debug messages.

active500EM#debug tacacs-server

 


Return to Controller Wired CLI Table of Contents