Configuring TACACS+
•
•
Enabling TACACS+
By default, the TACACS+ feature is disabled in all switches in the Cisco MDS 9000 Family. You must
explicitly enable the TACACS+ feature to access the configuration and verification commands for fabric
authentication. When you disable this feature, all related configurations are automatically discarded.
Setting the TACACS+ Server Address
If a secret key is not configured for a configured server, a warning message is issued and the global secret
encryption key is automatically used.
Setting the Secret Key
From Fabric Manager, choose Switches > Security > TACACS+ > Defaults to configure global values
for the key for all TACACS+ servers.
Secret keys configured for individual servers override the globally configured values.
Setting the Timeout Value
From Fabric Manager, choose Switches > Security > TACACS+ > Defaults to configure global timeout
values for all TACACS+ servers.
Timeout values configured for individual servers override the globally configured values.
Defining Custom Attributes for Roles
MDS uses TACACS+ custom attribute for service shell to configure the roles to which a user belongs.
TACACS+ attributes are specified as name=value format. The attribute name for this custom attribute is
cisco-av-pair. The following example illustrates how to specify roles using this attribute:
cisco-av-pair=shell:roles="network-admin vsan-admin"
TACACS+ custom attributes can be defined on an ACS server for various services (for example, shell).
MDS requires the TACACS+ custom attribute for service shell to be used for defining roles.
Cisco MDS 9000 Fabric Manager Switch Configuration Guide
18-8
Maintains simultaneous connections to multiple servers
Adapts to growing, as well as congested networks
Chapter 18
Configuring Switch Security
OL-7753-01