4-19
TACACS+ Authentication
Configuring TACACS+ on the Switch
Note on
Encryption Keys
Encryption keys configured in the switch must exactly match the encryption
keys configured in TACACS+ servers the switch will attempt to use for
authentication.
If you configure a global encryption key, the switch uses it only with servers
for which you have not also configured a server-specific key. Thus, a global
key is more useful where the TACACS+ servers you are using all have an
identical key, and server-specific keys are necessary where different
TACACS+ servers have different keys.
If TACACS+ server “X” does not have an encryption key assigned for the
switch, then configuring either a global encryption key or a server-specific key
in the switch for server “X” will block authentication support from server “X”.
Syntax: tacacs-server host < ip-addr > [oobm] [key < key-string >]
Adds a TACACS+ server and optionally assigns a server-specific
encryption key. The oobm parameter specifies that the operation
will go out from the out-of-band management interface. If this
parameter is not specified, the operation goes out from the data
interface. Refer to Appendix G, “Network Out-of-Band Manage-
ment” in the Management and Configuration Guide for more
information on out-of-band management.
[no] tacacs-server host < ip-addr >
Removes a TACACS+ server assignment (including its server-
specific encryption key, if any)
.
tacacs-server key <key-string>
Enters the optional global encryption key.
[no] tacacs-server key
Removes the optional global encryption key. (Does not affect any
server-specific encryption key assignments.)
tacacs-server timeout < 1-255 >
Changes the wait period for a TACACS server response. (Default:
5 seconds.)
Name Default Range
host <ip-addr> [key <key-string> [oobm] none n/a
