Configuring the switch TACACS+ server access

The tacacs-server command configures the following parameters:
  • The host IP addresses for up to three TACACS+ servers; one first-choice and up to two backups. Designating backup servers provides for a continuation of authentication services in case the switch is unable to contact the first-choice server.
  • An optional encryption key that helps to improve security, and must match the encryption key used in your TACACS+ server application. In some applications, the term "secret key" or "secret" may be used instead of "encryption key". If you need only one encryption key for the switch to use in all attempts to authenticate through a TACACS+ server, configure a global key. However, if the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.
  • The time out value in seconds for attempts to contact a TACACS+ server. If the switch sends an authentication request, but does not receive a response within the period specified by the timeout value, the switch resends the request to the next server in its Server IP Addr list, if any. If the switch still fails to receive a response from any TACACS+ server, it reverts to whatever secondary authentication method was configured using the aaa authentication command (local or none). See Selecting the access method for configuration.

Syntax

tacacs-server host <IP-ADDR | IPV6-ADDR> [key <KEY-STR>] | [oobm]
    

Adds a TACACS+ server and optionally assigns a server-specific encryption key. If the switch is configured to access multiple TACACS+ servers having different encryption keys, you can configure the switch to use different encryption keys for different TACACS+ servers.

switch(config)# tacacs-server dead-time help
Usage:  no tacacs-server dead-time <Minutes>

Description

Configure the dead time for unavailable TACACS+ servers. When a server stops responding, the switch ignores it for this amount of time and proceeds immediately to the next backup. This improves response time because the switch does not wait for connections to time out before contacting the next backup server. The default value of zero disables skipping unavailable servers.


no tacacs-server host <IP-ADDR | IPV6-ADDR>

Removes a TACACS+ server assignment (including its server-specific encryption key, if any).


tacacs-server key <KEY-STR>

Configures an optional global encryption key. Keys configured in the switch must match the encryption keys configured in the TACACS+ servers that the switch attempts to use for authentication.


no tacacs-server key

Removes the optional global encryption key. This does not affect any server-specific encryption key assignments.


tacacs-server timeout <1-255>

Changes the wait period for a TACACS server response.

Default: 5 seconds.

NOTE:
  • It is recommended that you configure, test, and troubleshoot authentication using telnet access before configuring authentication from a console port access. This prevents accidentally locking yourself out of the switch.

  • Encryption keys configured in the switch must match the encryption keys configured in the TACACS+ servers it is attempting to use for authentication. A switch uses a global encryption key only with servers with no server-specific key. A global key is more useful where the TACACS+ servers in use all have an identical key, and server-specific keys are necessary where different TACACS+ servers have different keys. If TACACS+ server "X" has no encryption key assigned, then configuring either a global encryption key or a server-specific key in the switch for server "X" blocks authentication support from server "X".