Remote AAA TACACS+ server configuration requirements

The user-supplied TACACS+ server must:

  • Have an IPv4/IPv6 address or fully qualified domain name (FQDN) that is visible to the switch.

  • Have a passkey (shared secret) that matches what is configured on the switch.

  • Provide username and password definitions for every switch user. Remote users do not require definition on the switch.

  • Use the priv-lvl TACACS+ attribute with the following values:

    • 1: for users requiring the Operators role.

    • 15: for users requiring the Administrators role.

    • Any other priv-lvl value results in the user being denied access.

  • Have any needed command authorization configured to control what commands (per user or user role) will be executable on the switch.

NOTE:

Consult your TACACS+ server documentation for installation and general configuration details.

NOTE:

If SSH public key authentication is used, the key information is stored locally on the switch, making username and password definition on the TACACS+ server unnecessary.