Security – TACACS+

tacacs-server host

To specify a TACACS+ host, use the tacacs-server host Global Configuration mode command. To delete the specified TACACS+ host, use the no form of this command.

Syntax

tacacs-server host {ip-address | hostname} [single-connection] [port port-number]

[timeout timeout] [key key-string] [priority priority] no tacacs-server host {ip-address | hostname}

Parameters

  • host ip-address—Specifies the TACACS+ server host IP address. The IP address can be an IPv4, IPv6 or IPv6z address.
  • host hostname—Specifies the TACACS+ server host name. (Length: 1-158 characters. Maximum label length of each part of the host name: 63 characters)
  • single-connection—(Optional) Specifies that a single open connection is maintained between the device and the daemon, instead of the device opening and closing a TCP connection to the daemon each time it communicates.
  • port port-number—(Optional) Specifies the TACACS server TCP port number. If the port number is 0, the host is not used for authentication. (Range: 0-65535)
  • timeout timeout—(Optional) Specifies the timeout value in seconds. (Range: 1-30)
  • key key-string—(Optional) Specifies the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server. This key must match the encryption used on the TACACS+ daemon. To specify an empty string, enter “”. (Length: 0-128 characters). If this parameter is omitted, the globally-defined key (set in the tacacs-server key command tacacs-server host source-interface command) will be used.
  • priority priority—(Optional) Specifies the order in which the TACACS+ servers are used, where 0 is the highest priority. (Range: 0-65535)

Default Configuration No TACACS+ host is specified.

The default port-number is 1812.

If timeout is not specified, the global value (set in the tacacs-server timeout command) is used.

If key-string is not specified, the global value (set in the tacacs-server key command) is used.

Command Mode

Global Configuration mode

User Guidelines

Multiple tacacs-server host commands can be used to specify multiple hosts.

Example

The following example specifies a TACACS+ host.

switchxxxxxx(config)# tacacs-server host 172.16.1.1

tacacs-server host source-interface

To specify the source interface which IPv4 address will be used as the Source IPv4 address for communication with IPv4 TACACS+ servers, use the tacacs-server host source-interface Global Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

tacacs-server host source-interface interface-id no tacacs-server host source-interface interface-id—Specifies the source interface.

Default Configuration

The source IPv4 address is the IPv4 address defined on the outgoing interface and belonging to next hop IPv4 subnet.

Command Mode

Global Configuration mode

User Guidelines

If the source interface is the outgoing interface, the interface IP address belonging to next hop IPv4 subnet is applied.

If the source interface is not the outgoing interface, the minimal IPv4 address defined on the source interface is applied.

If there is no available IPv4 source address, a SYSLOG message is issued when attempting to communicate with an IPv4 TACACS+ server.

OOB cannot be defined as a source interface.

Example

The following example configures the VLAN 10 as the source interface.

switchxxxxxx(config)# tacacs-server host source-interface vlan 100

tacacs-server host source-interface-ipv6

To specify the source interface whose IPv6 address will be used as the Source IPv6 address for communication with IPv6 TACACS+ servers, use the tacacs-server host source-interface-ipv6 Global Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

tacacs-server host source-interface-ipv6 interface-id no tacacs-server host source-interface-ipv6

interface-id—Specifies the source interface.

Default Configuration

The IPv6 source address is the IPv6 address defined on the outgoing interface and selected in accordance with RFC6724.

Command Mode

Global Configuration mode

User Guidelines

If the source interface is the outgoing interface, the source IPv6 address is an IPv6 address defined on the interfaces and selected in accordance with RFC 6724.

If the source interface is not the outgoing interface, the source IPv6 address is the minimal IPv6 address defined on the source interface and matched to the scope of the destination IPv6 address is applied.

If there is no available source IPv6 address, a SYSLOG message is issued when attempting to communicate with an IPv6 TACACS+ server.

Example

The following example configures the VLAN 10 as the source interface.

switchxxxxxx(config)# tacacs-server host source-interface-ipv6 vlan 100

tacacs-server key

To set the authentication encryption key used for all TACACS+ communications between the device and the TACACS+ daemon, use the tacacs-server key Global Configuration mode command. To disable the key, use the no form of this command.

Syntax

tacacs-server key key-string no tacacs-server key key-string—Specifies the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server.

This key must match the encryption used on the TACACS+ daemon.

(Length: 0–128 characters)

Default Configuration

The default key is an empty string.

Command Mode

Global Configuration mode

Example

The following example sets Enterprise as the authentication key for all TACACS+ servers.

switchxxxxxx(config)# tacacs-server key enterprise

tacacs-server timeout

To set the interval during which the device waits for a TACACS+ server to reply, use the tacacs-server timeout Global Configuration mode command. To restore the default configuration, use the no form of this command.

Syntax

tacacs-server timeout timeout no tacacs-server timeout

Parameters

  • timeout—Specifies the timeout value in seconds. (Range: 1-30).

Default Configuration

The default timeout value is 5 seconds.

Command Mode

Global Configuration mode

Example

The following example sets the timeout value to 30 for all TACACS+ servers.

switchxxxxxx(config)# tacacs-server timeout 30

show tacacs

Created by Sinan KizarLast updated 25 Apr , 2019

To display configuration and statistical information for a TACACS+ server, use the show tacacs Privileged EXEC mode command.

Syntax

show tacacs [ip-address]

Parameters

  • ip-address—Specifies the TACACS+ server name, IPv4 or IPv6 address.

Default Configuration

If ip-address is not specified, information for all TACACS+ servers is displayed.

Command Mode

Privileged EXEC mode

Example

The following example displays configuration and statistical information for all TACACS+ servers

switchxxxxxx# show tacacs
 
IP address Status    Port Single     Time    Priority
 
Connection Out
 
--------- --------- ---- --------- ------  --------
 
172.16.1.1 Connected 49   No         Global  1
 
Global values
 
-------------
 
Time Out: 3
 
Source IPv4 interface: vlan 120
 
Source IPv6 interface: vlan 10

show tacacs key

To display the configured key of the TACACS+ server, use the show tacacs key Privileged EXEC mode command.

Syntax

show tacacs key [ip-address]

Parameters

  • ip-address—Specifies the TACACS+ server name or IP address.

Default Configuration

If ip-address is not specified, information for all TACACS+ servers is displayed.

Command Mode

Privileged EXEC mode

Example

The following example displays configuration and statistical information for all

TACACS+ servers

switchxxxxxx# show tacacs key
IP address
———-
172.16.1.1
172.16.1.2		Key
—————
Sharon123
Bruce123

Global key

————-

Alice456

Was this article helpful?

Yes No

Related Articles

Leave A Comment?