Configuring the switch TACACS+ server access

The tacacs-server command configures these parameters:
  • The host IP addresses

    for up to three TACACS+ servers; one first-choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server.

  • An optional encryption key

    . This key helps to improve security, and must match the encryption key used in your TACACS+ server application. In some applications, the term "secret key" or "secret" may be used instead of "encryption key". If you need only one encryption key for the switch to use in all attempts to authenticate through a TACACS+ server, configure a global key. However, if the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.

  • The timeoutvalue

    in seconds for attempts to contact a TACACS+ server. If the switch sends an authentication request, but does not receive a response within the period specified by the timeout value, the switch resends the request to the next server in its Server IP Addr list, if any. If the switch still fails to receive a response from any TACACS+ server, it reverts to whatever secondary authentication method was configured using the aaa authentication command (local or none), see Selecting the access method for configuration.

Syntax

tacacs-server host <IP-ADDR> [key <KEY-STR>] | [oobm]
    

Adds a TACACS+ server and optionally assigns a server-specific encryption key. If the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.


[no]tacacs-server host<IP-ADDR>

Removes a TACACS+ server assignment (including its server-specific encryption key, if any).


tacacs-server key <KEY-STR>

Configures an optional global encryption key. Keys configured in the switch must exactly match the encryption keys configured in the TACACS+ servers that the switch attempts to use for authentication.


[no]tacacs-server key

Removes the optional global encryption key. This does not affect any server-specific encryption key assignments.


tacacs-server timeout <1-255>

Changes the wait period for a TACACS server response.

Default: 5 seconds.

NOTE:
  • Hewlett Packard Enterprise recommends that you configure, test, and troubleshoot authentication using telnet access before configuring authentication from a console port access. This prevents accidentally locking yourself out of the switch.

  • Encryption keys configured in the switch must exactly match the encryption keys configured in the TACACS+ servers it is attempting to use for authentication.A switch uses a global encryption key only with servers with no server-specific key. A global key is more useful where the TACACS+ servers in use all have an identical key, and server-specific keys are necessary where different TACACS+ servers have different keys.If TACACS+ server "X" has no encryption key assigned, then configuring either a global encryption key or a server-specific key in the switch for server "X" blocks authentication support from server "X".