Configuring server specific encryption key

Syntax

tacacs-server host <ip-addr | ipv6 addr> [key <key-string> | encrypted-key <key-string> | [oobm]
    
Adds a TACACS+ server and optionally assigns a server-specific encryption key. If the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
NOTE:

When the switch is in enhanced secure mode, commands that take a secret key as a parameter have the echo of the secret typing replaced with asterisks. The input for <key-string> is prompted for interactively.

tacacs-server host <ip-addr | ipv6 addr>
no tacacs-server host <ip-addr | ipv6 addr>
    

Removes a TACACS+ server assignment (including its server-specific encryption key, if any).

tacacs-server [key <key-string> | encrypted-key <key-string>]
    

Configures an optional global encryption key. Keys configured in the switch must exactly match the encryption keys configured in the TACACS+ servers that the switch attempts to use for authentication. The encrypted-key parameter configures a global encryption key, specified using a base64-encoded aes-256 encrypted string.

tacacs-server key
no tacacs-server key

Removes the optional global encryption key. It does not affect any server-specific encryption key assignments.

tacacs-server encrypted-key <key-string>
    

Encryption key to use with a TACACS+ server, specified using a base64-encoded aes-256 encrypted string.

tacacs-server timeout <1-255>
    

Changes the wait period for a TACACS server response. (Default: 5 seconds.)

NOTE:

Encryption keys configured in the switch must exactly match the encryption keys configured in TACACS+ servers the switch attempts to use for authentication.

If you configure a global encryption key, the switch uses it only with servers for which you have not configured a server-specific key. Thus, a global key is more useful where the TACACS+ servers you are using all have an identical key, and server-specific keys are necessary where different TACACS+ servers have different keys.

If TACACS+ server “X” does not have an encryption key assigned for the switch, then configuring either a global encryption key or a server-specific key in the switch for server “X” blocks authentication support from server “X”.