Configuring the switch TACACS+ server access

The tacacs-server command configures these parameters:
  • The host IP address(es)

    for up to three TACACS+ servers; one first-choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server.

  • An optional encryption key.

    This key helps to improve security, and must match the encryption key used in your TACACS+ server application. In some applications, the term "secret key" or "secret" may be used instead of "encryption key". If you need only one encryption key for the switch to use in all attempts to authenticate through a TACACS+ server, configure a global key. However, if the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.

  • The timeout value

    in seconds for attempts to contact a TACACS+ server. If the switch sends an authentication request, but does not receive a response within the period specified by the timeout value, the switch resends the request to the next server in its Server IP Addr list, if any. If the switch still fails to receive a response from any TACACS+ server, it reverts to whatever secondary authentication method was configured using the aaa authentication command (local or none), see Configuring the switch authentication methods.


As described in General authentication setup procedure, Hewlett Packard Enterprise recommends that youconfigure, test, and troubleshoot authentication via Telnet access before you configure authentication via console port access. This helps to prevent accidentally locking yourself out of switch access due to errors or problems in setting up authentication in either the switch or your TACACS+ server.


tacacs-server host <ip-addr> [key <key-string>]

Adds a TACACS+ server and optionally assigns a server-specific encryption key.

[no] tacacs-server host <ip-addr>

Removes a TACACS+ server assignment (including its server-specific encryption key, if any).

Configures an optional global encryption key. Keys configured in the switch must exactly match the encryption keys configured in the TACACS+ servers that the switch will attempt to use for authentication.

[no] tacacs-server key

Removes the optional global encryption key. This does not affect any server-specific encryption key assignments.

tacacs-server timeout <1-255>

Changes the wait period for a TACACS server response.

Default: 5 seconds.


Encryption keys configured in the switch must exactly match the encryption keys configured in the TACACS+ servers it is attempting to use for authentication.

A switch uses a global encryption key only with servers with no server-specific key. A global key is more useful where the TACACS+ servers in use all have an identical key, and server-specific keys are necessary where different TACACS+ servers have different keys.

If TACACS+ server "X" has no encryption key assigned, then configuring either a global encryption key or a server-specific key in the switch for server "X" will block authentication support from server "X".