TACACS+ Password Change
Configuring TACACS+ Authentication on the Switch
1. Configure the IPv4 addresses of the Primary and Secondary TACACS+ servers, and
enable TACACS authentication. Specify the interface port (optional).
2. Configure the TACACS+ secret and second secret.
3. If desired, you may change the default TCP port number used to listen to
TACACS+.
4. Configure the number of retry attempts, and the timeout period.
© Copyright Lenovo 2017
Enterprise NOS supports TACACS+ password change. When enabled, users can
change their passwords after successful TACACS+ authorization. Use the
following command to enable or disable this feature:
RS 8264CS(config)# [no] tacacs-server password-change
Use the following commands to change the password for the primary and
secondary TACACS+ servers:
RS 8264CS(config)# tacacs-server chpassp
RS 8264CS(config)# tacacs-server chpasss
RS 8264CS(config)# tacacs-server primary-host 10.10.1.1
RS 8264CS(config)# tacacs-server primary-host mgt-port
RS 8264CS(config)# tacacs-server secondary-host 10.10.1.2
RS 8264CS(config)# tacacs-server secondary-host data-port
RS 8264CS(config)# tacacs-server enable
Note: You can use a configured loopback address as the source address so the
TACACS+ server accepts requests only from the expected loopback address block.
Use the following command to specify the loopback interface:
RS 8264CS(config)# ip tacacs source-interface loopback <1‐5>
RS 8264CS(config)# tacacs-server primary-host 10.10.1.1 key
<1‐32 character secret>
RS 8264CS(config)# tacacs-server secondary-host 10.10.1.2 key
<1‐32 character secret>
The well‐known port for TACACS+ is 49.
RS 8264CS(config)# tacacs-server port <TCP port number>
RS 8264CS(config)# tacacs-server retransmit 3
RS 8264CS(config)# tacacs-server timeout 5
(Change primary TACACS+ password)
(Change secondary TACACS+ password)
Chapter 5: Authentication & Authorization Protocols
105