Filter
Top Products
Chapter 4 Configuring the CSS as a Client of a TACACS+ Server
Configuring Global TACACS+ Attributes
4-6
Cisco Content Services Switch Security Configuration Guide
OL-5650-02
Note The timeout, encryption key, or keepalive frequency that you define when you
configure a TACACS+ server overrides the global attribute (see the “Defining a
TACACS+ Server” section).
Setting the Global CSS TACACS+ Timeout Period
The CSS allows you to define a global TACACS+ timeout period for use with all
configured TACACS+ servers. To determine the availability of the TACACS+
servers, the CSS sends periodic TCP keepalive probes to them. If the server does
not respond to the probe within the timeout period, the CSS considers the server
unavailable.
If the CSS attempts to contact the server and does not receive a response within
the defined timeout value, it uses another server. The next configured server is
contacted and the process is repeated. If a second (or third) TACACS+ server has
been identified, the CSS selects that server as the active server.
If the CSS cannot reach all three TACACS+ servers, users are not authenticated
and cannot log in to the CSS unless TACACS+ is used in combination with a
RADIUS or local server, as defined through the virtual command or the console
command. See Chapter 1, Controlling CSS Access for details about the two
commands.
To change the timeout period, use the tacacs-server timeout command. Enter a
number from 1 to 255. The default is 5 seconds. The CSS dynamically applies the
modified global timeout period and the new value automatically takes effect on
the next TACACS+ connection.
For example, to set the timeout period to 60 seconds, enter:
#(config) tacacs-server timeout 60
To reset the timeout period to the default of 5 seconds, enter:
#(config) no tacacs-server timeout
Note The timeout period that you configure when you specify a TACACS+ server
overrides the global timeout period (see the “Defining a TACACS+ Server”
section).