tacacs-server
Required Command-Line Mode = Configure
Required User Level = Admin
Use the tacacs-server command to specify the TACACS+ servers to be used for authentication. You can specify multiple TACACS+ servers. Servers are used as fallbacks in the same order they are specified—if the first server is unreachable, the second is tried, and so on, until all named servers have been used. If a server is reachable and authentication fails, the authentication process terminates.
Refer to Add a TACACS+ Server for examples of adding and configuring a TACACS+ server.
The tacacs-server command has the following syntax:
tacacs-server
extra-user-params roles enable
host <IPv4/IPv6 address or hostname>
[auth-port <port number>
auth-type <ascii | pap>
enable
shared-secret <string>
prompt-secret
retransmit <retries>
timeout <seconds>]
shared-secret <nstring>
retransmit <retries>
service <gigamon | shell>
timeout <seconds>
The following table describes the arguments for the tacacs-server command. The key, retransmit, and timeout values can be specified both globally and on a per-host basis. The values specified on the host will override the global values.
Argument |
Description |
|
extra-user-params roles enable |
Enables the GigaVUE H Series node to accept user roles assigned in the TACACS+ server. Note that the role name must match a role configured on the local node/cluster. Refer to aaa for details. The default is disabled (no roles). For example: (config) # tacacs-server extra-user-params roles enable |
|
host <IPv4/IPv6 address or hostname> |
Specifies the IP address (IPv4 or IPv6) or the hostname of the TACACS+ server. The same IP address can be used for more than one TACACS+ server so long as they use different auth-port values. Examples: (config) # tacacs-server host 192.168.0.93 (config) # tacacs-server host 2001:db8:a0b:12f0::11 key gigamon enable (config) # tacacs-server host www.MyCo.com |
|
|
auth-port <port-number> |
Specifies the UDP port number on which the TACACS+ server is running. If included, the auth-port must be specified immediately after the host IP address. If not specified, the port is set to the default TACACS+ port number of 49. For example: (config) # tacacs-server host 192.168.0.93 auth-port 50 |
|
auth-type <ascii | pap> |
Specifies whether this TACACS+ server uses ASCII or PAP authentication. The default is PAP. For example: (config) # tacacs-server host 192.168.0.93 auth-type ascii |
|
enable |
Administratively enables the TACACS+ server. For example: (config) # tacacs-server host 192.168.0.93 enable |
|
shared-secret <string> |
Specifies the shared secret text string to be used for encryption of authentication packets sent between the GigaVUE H Series node and this specific TACACS+ server. The key specified here overrides the global value specified in the tacacs-server shared secret command. For example: (config) # tacacs-server host 192.168.0.93 shared-secret mykey2 |
|
prompt-secret |
Requires the user to enter the shared secret text string during login. This option is mutually exclusive with the shared-secret option. For example: (config) # tacacs-server host 192.168.0.93 prompt-secret |
|
retransmit <retries> |
Specifies the number of times the GigaVUE H Series node will attempt to authenticate with this specific TACACS+ server. The retransmit value specified here overrides the global value specified in the tacacs-server retransmit command. The default is 1. The range is from 0 to 5. Use 0 to disable retransmissions. For example: (config) # tacacs-server host 192.168.0.93 retransmit 3 |
|
timeout <seconds> |
Specifies how long the GigaVUE H Series node should wait for a response from this specific TACACS+ server to an authentication request before declaring a timeout failure. The timeout value specified here overrides the global value specified in the tacacs-server timeout command. The default is 3 seconds. The range is from 0 to 60 seconds. For example: (config) # tacacs-server host 192.168.0.93 timeout 45 |
shared-secret <string> |
Specifies a global shared secret text string to be used for encryption of authentication packets sent between the GigaVUE H Series node and all TACACS+ servers. This key can be overridden with the key specified in the tacacs-server host command. For example: (config) # tacacs-server shared-secret mykey |
|
retransmit <retries> |
Specifies a global value for the number of times the GigaVUE H Series node will attempt to authenticate with a TACACS+ server. This retransmit value can be overridden with the retransmit value specified in the tacacs-server host command. The default is 1. The range is from 0 to 5. Zero (0 ) disables retransmissions. For example: (config) # tacacs-server retransmit 5 |
|
service <gigamon | shell> |
Specifies the authorization service that will be used for TACACS. By default, this is set to shell, which works for Cisco ACS 3.x. You must set it to gigamon for successful integration with Cisco ACS 5.3 or later. The gigamon setting also works for ACS 3.x. This is a global command. For example: (config) # tacacs-server service gigamon |
|
timeout <seconds> |
Specifies a global value for how long the GigaVUE H Series node should wait for a response from the TACACS+ server to an authentication request before declaring a timeout failure. This timeout value can be overridden with the timeout value specified in the tacacs-server host command. The default is 3 seconds. The range is from 0 to 60 seconds. For example: (config) # tacacs-server timeout 30 |
Related Commands
The following table summarizes other commands related to the tacacs-server command:
Task |
Command |
Displays TACACS+ servers and settings. |
# show tacacs |
Disables handling of extra user parameters sent from the TACACS+ server. |
(config) # no tacacs-server extra-user-params roles enable |
Deletes a TACACS+ host with the specified IPv4 or IPv6 address, or hostname. |
(config) # no tacacs-server host 1.1.1.1 (config) # no tacacs-server host www.MyCo.com |
Deletes a TACACS+ host on a specified port. |
(config) # no tacacs-server host 1.1.1.1 auth-port 234 |
Administratively disables the TACACS+ host. |
(config) # no tacacs-server host 1.1.1.1 auth-port 234 enable |
Administratively disables the TACACS+ host on the default port. |
(config) # no tacacs-server host 1.1.1.1 enable |
Deletes the global TACACS+ server shared secret. |
(config) # no tacacs-server shared-secret |
Resets the global TACACS+ server retransmit count to the default. |
(config) # no tacacs-server retransmit |
Resets the global TACACS+ server timeout settings to the default. |
(config) # no tacacs-server timeout |