Support User Manuals

Brocade Communications Systems 6650 Switch User Manual

Open as PDF

of 332

Brocade ICX 6650 Security Configuration Guide 33

53-1002601-01

TACACS and TACACS+ security

Setting the TACACS+ key

The key parameter in the tacacs-server command is used to encrypt TACACS+ packets before they

are sent over the network. The value for the key parameter on the Brocade device should match the

one configured on the TACACS+ server. The key can be from 1 – 32 characters in length and cannot

include any space characters.

NOTE

The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers. If you are

configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the

Brocade device.

To specify a TACACS+ server key, enter a command such as following.

Brocade(config)# tacacs-server key rkwong

Syntax: tacacs-server key [0 | 1] string

When you display the configuration of the Brocade device, the TACACS+ keys are encrypted. For

example.

Brocade(config)# tacacs-server key 1 abc

Brocade(config)# write terminal

...

tacacs-server host 10.2.3.5 auth-port 49

tacacs key 1 $!2d

NOTE

Encryption of the TACACS+ keys is done by default. The 0 parameter disables encryption. The 1

parameter is not required; it is provided for backwards compatibility.

Setting the retransmission limit

The retransmit parameter specifies how many times the Brocade device will resend an

authentication request when the TACACS/TACACS+ server does not respond. The retransmit limit

can be from 1 – 5 times. The default is 3 times.

To set the TACACS and TACACS+ retransmit limit, enter a command such as the following.

Brocade(config)# tacacs-server retransmit 5

Syntax: tacacs-server retransmit number

Setting the timeout parameter

The timeout parameter specifies how many seconds the Brocade device waits for a response from

the TACACS/TACACS+ server before either retrying the authentication request, or determining that

the TACACS/TACACS+ server is unavailable and moving on to the next authentication method in the

authentication-method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds.

Brocade(config)# tacacs-server timeout 5

Syntax: tacacs-server timeout number

previous next