TACACS authentication
Authenticating users through TACACS also provides a centralized way to manage access to the switch. TACACS authentication works along the same lines as a RADIUS authentication, allowing the administrator to manage users from a central server. TACACS authentication is also supported by Aruba ClearPass Policy Manager.
Similar to the RADIUS example above, the following command designates a TACACS server at 10.100.0.252, with the authentication key "terces", as an authentication server:
switch(config)# tacacs-server host 10.100.0.252 key terces
To enable TACACS authentication as the primary method and local authentication as the secondary method for console or SSH management access, use the following configuration commands:
switch(config)# aaa authentication console login tacacs local switch(config)# aaa authentication console enable tacacs local switch(config)# aaa authentication ssh login tacacs local switch(config)# aaa authentication ssh enable tacacs local
TACACS authentication is not supported for web management UI access.
Note on RADIUS and TACACS keys: by default, RADIUS and TACACS server authentication keys are not included when configuration files are copied from the switch (for example, through the
copy saved-configuration sftp command). If a configuration file without these keys is used to restore a switch configuration from backup, authentication requests made to configured RADIUS and/or TACACS servers may fail. These keys may be included in configuration backups when include-credentials and encrypt-credentials are enabled (to configure, refer to
Local password authentication).
For more details, refer to the chapter titled “TACACS+ Authentication and Accounting” in the ArubaOS-Switch Access Security Guide.