Remote AAA TACACS+ server configuration requirements

The user-supplied TACACS+ server must:
  • Have an IPv4/IPv6 address or fully qualified domain name (FQDN) that is visible to the switch.

  • Have a passkey (shared secret) that matches what is configured on the switch.

  • Provide username and password definitions for every switch user. Remote users do not require definition on the switch.

  • Use the priv-lvl TACACS+ attribute with the following values:

    • 1: for users requiring the Operators role.

    • 15: for users requiring the Administrators role.

    • Any other priv-lvl value results in the user being denied access.

  • Have any needed command authorization configured to control what commands (per user or user role) will be executable on the switch.


Consult your TACACS+ server documentation for installation and general configuration details.


If SSH public key authentication is used, the key information is stored locally on the switch, making username and password definition on the TACACS+ server unnecessary.