Filter
Top Products
Command Line Interface 66
TACACS+ server configuration
Command: /cfg/sys/tacacs+
[TACACS+ Server Menu]
prisrv - Set IP address of primary TACACS+ server
secsrv - Set IP address of secondary TACACS+ server
secret - Set secret for primary TACACS+ server
secret2 - Set secret for secondary TACACS+ server
port - Set TACACS+ port number
retries - Set number of TACACS+ server retries
timeout - Set timeout value of TACACS+ server retries
bckdoor - Enable/disable TACACS+ backdoor for telnet/ssh/http/https
secbd - Enable/disable TACACS+ secure backdoor
cmap - Enable/disable TACACS+ new privilege level mapping
usermap - Set user privilege mappings
on - Enable TACACS+ authentication
off - Disable TACACS+ authentication
cur - Display current TACACS+ settings
TACACS+ (Terminal Access Controller Access Control System) is an authentication protocol that allows a remote
access server to forward a user's logon password to an authentication server to determine whether access can be
allowed to a given system. TACACS+ and Remote Authentication Dial-In User Service (RADIUS) protocols are
more secure than the TACACS encryption protocol. TACACS+ is described in RFC 1492.
TACACS+ protocol is more reliable than RADIUS, as TACACS+ uses the Transmission Control Protocol (TCP)
whereas RADIUS uses the User Datagram Protocol (UDP). Also, RADIUS combines authentication and
authorization in a user profile, whereas TACACS+ separates the two operations.
TACACS+ offers the following advantages over RADIUS as the authentication device:
• TACACS+ is TCP-based, so it facilitates connection-oriented traffic.
• It supports full-packet encryption, as opposed to password-only in authentication requests.
• It supports decoupled authentication, authorization, and accounting.
The following table describes the TACACS+ Server Configuration Menu options.
Table 62 TACACS+ Server Configuration Menu options
Command Description
prisrv <IP address> Defines the primary TACACS+ server address.
secsrv <IP address> Defines the secondary TACACS+ server address.
secret <1-32 characters> This is the shared secret between the switch and the TACACS+ server(s).
secret2 <1-32 characters> This is the secondary shared secret between the switch and the TACACS+
server(s).
port <TCP port number> Enter the number of the TCP port to be configured, between 1 - 65000. The
default is 49.
retries <1-3> Sets the number of failed authentication requests before switching to a
different TACACS+ server. The range is 1-3 requests. The default is 3
requests.
timeout <4-15> Sets the amount of time, in seconds, before a TACACS+ server
authentication attempt is considered to have failed. The range is 4-15
seconds. The default is 5 seconds.
bckdoor enable|disable Enables or disables the TACACS+ back door for telnet. The telnet
command also applies to SSH/SCP connections and the Browser-based
Interface (BBI). The default value is disabled. This command does not apply
when secure backdoor (
secbd) is enabled.
secbd enable|disable
Enables or disables the TACACS+ back door using secure password for
telnet/SSH/ HTTP/HTTPS. The default value is disabled. This command
does not apply when backdoor (bckdoor) is enabled.
cmap enable|disable
Enables or disables TACACS+ authorization-level mapping.
The default value is disabled.
usermap <0-15>
user|oper|admin|none
Maps a TACACS+ authorization level to this switch user level. Enter a
TACACS+ authorization level (0-15), followed by the corresponding this
switch user level.
on Enables the TACACS+ server.
off Disables the TACACS+ server. This is the default.
cur Displays current TACACS+ configuration parameters.