TACACS+ encryption key authentication

You can use TACACS+ servers to authenticate users who request access to a switch through Telnet (remote) or console (local) sessions. TACACS+ uses an authentication hierarchy consisting of:

  • Remote passwords assigned in a TACACS+ server

  • Local manager and operator passwords configured on the switch.

When you configure TACACS+, the switch first tries to contact a designated TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so.

For improved security, you can configure a global or server-specific encryption key that encrypts data in TACACS+ packets transmitted between a switch and a RADIUS server during authentication sessions. The key configured on the switch must match the encryption key configured in each TACACS+ server application. (The encryption key is sometimes referred to as “shared secret” or “secret” key.)

TACACS+ shared secret (encryption) keys can be saved in a configuration file by entering this command:

switch(config)# tacacs-server key <keystring>

The option <keystring> is the encryption key (in clear text) used for secure communication with all or a specific TACACS+ server.