Specifying Different Servers For Individual Aaa Functions; Setting Optional Tacacs/Tacacs+ Parameters - Dell PowerConnect B-RX Configuration Manual

4
Configuring TACACS/TACACS+ security
NOTE
If you erase a tacacs-server command (by entering "no" followed by the command), make sure you
also erase the aaa commands that specify TACACS/TACACS+ as an authentication method. (Refer
to "Configuring authentication-method lists for TACACS/TACACS+"
exit from the CONFIG mode or from a Telnet session, the system continues to believe it is
TACACS/TACACS+ enabled and you will not be able to access the system.
The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of the
authentication port on the server. The default port number is 49.

Specifying different servers for individual AAA functions

In a TACACS+ configuration, you can designate a server to handle a specific AAA task. For example,
you can designate one TACACS+ server to handle authorization and another TACACS+ server to
handle accounting. You can set the TACACS+ key for each server.
To specify different TACACS+ servers for authentication, authorization, and accounting.
BigIron RX(config)# tacacs-server host 1.2.3.4 auth-port 49 authentication-only
key abc
BigIron RX(config)# tacacs-server host 1.2.3.5 auth-port 49 authorization-only
key def
BigIron RX(config)# tacacs-server host 1.2.3.6 auth-port 49 accounting-only
key ghi
Syntax: tacacs-server host <ip-addr> | <server-name> [auth-port <number> [authentication-only
The default parameter causes the server to be used for all AAA functions.
After authentication takes place, the server that performed the authentication is used for
authorization or accounting. If the authenticating server cannot perform the requested function,
then the next server in the configured list of servers is tried; this process repeats until a server that
can perform the requested function is found, or every server in the configured list has been tried.

Setting optional TACACS/TACACS+ parameters

You can set the following optional parameters in a TACACS/TACACS+ configuration:
•
•
•
•
86
| authorization-only | accounting-only | default] [key <string>]]
TACACS+ key – This parameter specifies the value that the Brocade device sends to the
TACACS+ server when trying to authenticate user access.
Retransmit interval – This parameter specifies how many times the Brocade device will resend
an authentication request when the TACACS/TACACS+ server does not respond. The retransmit
value can be from 1 – 5 times. The default is 3 times.
Dead time – This parameter specifies how long the Brocade device waits for the primary
authentication server to reply before deciding the server is dead and trying to authenticate
using the next server. The dead-time value can be from 1 – 5 seconds. The default is 3
seconds.
Timeout – This parameter specifies how many seconds the Brocade device waits for a
response from a TACACS/TACACS+ server before either retrying the authentication request, or
determining that the TACACS/TACACS+ servers are unavailable and moving on to the next
authentication method in the authentication-method list. The timeout can be from 1 – 15
seconds. The default is 3 seconds.
on page 88.) Otherwise, when you
BigIron RX Series Configuration Guide
53-1001810-01