tacacs-server host

Syntax

tacacs-server host {<FQDN> | <IPV4> | <IPV6>} [key {plaintext <PASSKEY> |
   ciphertext <PASSKEY>}] [timeout <TIMEOUT-SECONDS>] [port <PORT-NUMBER>]
   [auth-type {pap | chap}] [tracking {enable | disable}] [vrf <VRF-NAME>] 
				
no tacacs-server host {<FQDN> | <IPV4> | <IPV6>} [port <PORT-NUMBER>] [vrf <VRF-NAME>]

Description

Adds a TACACS+ server. By default, the TACACS+ server is associated with the server group named tacacs.

The no form of this command removes a previously added TACACS+ server.

Command context

config

Parameters

{<FQDN> | <IPV4> | <IPv6>}
Specifies the TACACS+ server as:
  • <FQDN>: a fully qualified domain name.
  • <IPV4>: an IPv4 address.

  • <IPV6>: an IPv6 address.

key {plaintext <PASSKEY> | ciphertext <PASSKEY>}

Specifies either a plaintext or an encrypted local shared-secret passkey for the server. As per RFC 2865, shared-secret can be a mix of alphanumeric and special characters. The length of shared-secret in plaintext format is fewer than 32 characters.

timeout <TIMEOUT-SECONDS>

Specifies the timeout. The range is 1 to 60 seconds. The default timeout is 5 seconds.

port <PORT-NUMBER>

Specifies the TCP authentication port number. Range: 1 to 65535. Default: 49.

auth-type {pap | chap}

Selects either PAP (default) or CHAP authentication type. If this parameter is not specified, the TACACS+ global default is used.

tracking {enable | disable}

Enables or disables server tracking for the server. Tracked servers are probed at the start of each server tracking interval to check if they are reachable. Unreachable servers are skipped in favor of servers that are proven to be reachable. Use command tacacs-server tracking to configure TACACS+ server tracking.

vrf <VRF-NAME>

Specifies the VRF name to be used for communicating with the server. If no VRF name is provided, the default VRF named default is used.

Authority

Administrators or local user group members with execution rights for this command.

Usage

If no local passkey is provided in the command, the server will use the global passkey. This command requires either the global or local passkey to be set; otherwise, the server will not be contacted. To set the global passkey, see tacacs-server key.

If the fully qualified domain name is provided for the TACACS+ server, a DNS server must be configured and accessible through the same VRF which is configured for the TACACS+ server. This configuration is required for the resolution of the TACACS+ server hostname to its IP address. If a DNS server is not available for this VRF, the TACACS+ servers reachable through this VRF must be configured by means of their IP addresses only.

Examples

Adding a TACACS+ server with an IPv4 address and a named VRF:

switch(config)# tacacs-server host 1.1.1.1 vrf mgmt

Adding a TACACS+ server with an IPv4 address, a port, and a named VRF:

switch(config)# tacacs-server host 1.1.1.2 port 32 vrf mgmt

Adding a TACACS+ server with an FQDN, a timeout, port number, and a named VRF:

switch(config)# tacacs-server host abc.com timeout 15 port 32 vrf vrf_blue

Adding a TACACS+ server with an IPv6 address:

switch(config)# tacacs-server host 2001:0db8:85a3:0000:0000:8a2e:0370:7334

Adding a TACACS+ server with an IPv4 address, plaintext passkey, timeout, port, authentication type, and VRF name:

switch(config)# tacacs-server host 1.1.1.3 key plaintext test-123 timeout 15 port 32 auth-type chap vrf vrf_red

Deleting a TACACS+ server with an IPv4 address and specified VRF:

switch(config)# no tacacs-server host 1.1.1.1 vrf mgmt

Deleting a TACACS+ server with an FQDN, port, and specified VRF:

switch(config)# no tacacs-server host abc.com port 32 vrf vrf_blue