Tacacs/Tacacs+ C; Identifying The Setting Optional - Foundry Networks Switch and Router Installation And Configuration Manual

Foundry Switch and Router Installation and Configuration Guide
User Action
User enters other commands
TACACS/TACACS+ Configuration Considerations
• You must deploy at least one TACACS/TACACS+ server in your network.
• Foundry devices support authentication using up to eight TACACS/TACACS+ servers. The device tries to
use the servers in the order you add them to the device's configuration.
• You can select only one primary authentication method for each type of access to a device (CLI through
Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select TACACS+ as the primary
authentication method for Telnet CLI access, but you cannot also select RADIUS authentication as a primary
method for the same type of access. However, you can configure backup authentication methods for each
access type.
• You can configure the Foundry device to authenticate using a TACACS or TACACS+ server, not both.
TACACS Configuration Procedure
For TACACS configurations, use the following procedure:
1. Identify TACACS servers. See "Identifying the TACACS/TACACS+ Servers" on page 3-22.
2. Set optional parameters. See "Setting Optional TACACS/TACACS+ Parameters" on page 3-23.
3. Configure authentication-method lists. See "Configuring Authentication-Method Lists for TACACS/
TACACS+" on page 3-24.
TACACS+ Configuration Procedure
For TACACS+ configurations, use the following procedure:
1. Identify TACACS+ servers. See "Identifying the TACACS/TACACS+ Servers" on page 3-22.
2. Set optional parameters. See "Setting Optional TACACS/TACACS+ Parameters" on page 3-23.
3. Configure authentication-method lists. See "Configuring Authentication-Method Lists for TACACS/
TACACS+" on page 3-24.
4. Optionally configure TACACS+ authorization. See "Configuring TACACS+ Authorization" on page 3-25.
5. Optionally configure TACACS+ accounting. See "Configuring TACACS+ Accounting" on page 3-27.
Identifying the TACACS/TACACS+ Servers
To use TACACS/TACACS+ servers to authenticate access to a Foundry device, you must identify the servers to
the Foundry device.
For example, to identify three TACACS/TACACS+ servers, enter commands such as the following:
BigIron(config)# tacacs-server host 207.94.6.161
BigIron(config)# tacacs-server host 207.94.6.191
BigIron(config)# tacacs-server host 207.94.6.122
Syntax: tacacs-server <ip-addr>|<hostname> [auth-port <number>]
The <ip-addr>|<hostname> parameter specifies the IP address or host name of the server. You can enter up to
eight tacacs-server host commands to specify up to eight different servers.
3 - 22
Applicable AAA Operations
Command authorization (TACACS+):
aaa authorization commands <privilege-level> default <method-list>
Command accounting (TACACS+):
aaa accounting commands <privilege-level> default start-stop
<method-list>
December 2000