Table of Contents
Advertisement
NOTE: To specify the server's host name instead of its IP address, you must first identify a DNS server using the
ip dns server-address <ip-addr> command at the global CONFIG level.
If you add multiple TACACS/TACACS+ authentication servers to the Foundry device, the device tries to reach
them in the order you add them. For example, if you add three servers in the following order, the software tries the
servers in the same order:
1.
207.94.6.161
2.
207.94.6.191
3.
207.94.6.122
You can remove a TACACS/TACACS+ server by entering no followed by the tacacs-server command. For
example, to remove 207.94.6.161, enter the following command:
BigIron(config)# no tacacs-server host 207.94.6.161
NOTE: If you erase a tacacs-server command (by entering "no" followed by the command), make sure you also
erase the aaa commands that specify TACACS/TACACS+ as an authentication method. (See "Configuring
Authentication-Method Lists for TACACS/TACACS+" on page 3-24.) Otherwise, when you exit from the CONFIG
mode or from a Telnet session, the system continues to believe it is TACACS/TACACS+ enabled and you will not
be able to access the system.
The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of the
authentication port on the server. The default port number is 49.
Setting Optional TACACS/TACACS+ Parameters
You can set the following optional parameters in a TACACS/TACACS+ configuration:
•
TACACS+ key – This parameter specifies the value that the Foundry device sends to the TACACS+ server
when trying to authenticate user access.
•
Retransmit interval – This parameter specifies how many times the Foundry device will resend an
authentication request when the TACACS/TACACS+ server does not respond. The retransmit value can be
from 1 – 5 times. The default is 3 times.
•
Dead time – This parameter specifies how long the Foundry device waits for the primary authentication server
to reply before deciding the server is dead and trying to authenticate using the next server. The dead-time
value can be from 1 – 5 seconds. The default is 3 seconds.
•
Timeout – This parameter specifies how many seconds the Foundry device waits for a response from a
TACACS/TACACS+ server before either retrying the authentication request, or determining that the TACACS/
TACACS+ servers are unavailable and moving on to the next authentication method in the authentication-
method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds.
Setting the TACACS+ Key
The key parameter in the tacacs-server command is used to encrypt TACACS+ packets before they are sent over
the network. The value for the key parameter on the Foundry device should match the one configured on the
TACACS+ server. The key can be from 1 – 32 characters in length.
NOTE: The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers. If you are
configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the Foundry device.
To specify a TACACS+ server key:
BigIron(config)# tacacs-server key rkwong
Syntax: tacacs-server key <key-string>
December 2000
Securing Access to Management Functions
3 - 23
- Quick Links:
- Configuring Ip Addresses
Hide quick links:
Advertisement
Chapters
Table of Contents
