tacacs-server

Required Command-Line Mode = Configure

Required User Level = Admin

Use the tacacs-server command to specify the TACACS+ servers to be used for authentication. You can specify multiple TACACS+ servers. Servers are used as fallbacks in the same order they are specifiedif the first server is unreachable, the second is tried, and so on, until all named servers have been used. If a server is reachable and authentication fails, the authentication process terminates.

Refer to Add a TACACS+ Server for examples of adding and configuring a TACACS+ server.

The tacacs-server command has the following syntax:

tacacs-server
  extra-user-params roles enable
   host <IPv4/IPv6 address or hostname>
      [auth-port <port number>
      auth-type <ascii | pap>
      enable
      shared-secret <string>
      prompt-secret
      retransmit <retries>
      timeout <seconds>]
   shared-secret <nstring>
   retransmit <retries>
   service <gigamon | shell>
   timeout <seconds>

The following table describes the arguments for the tacacs-server command. The key, retransmit, and timeout values can be specified both globally and on a per-host basis. The values specified on the host will override the global values.

Argument

Description

extra-user-params roles enable

Enables the GigaVUE H Series node to accept user roles assigned in the TACACS+ server. Note that the role name must match a role configured on the local node/cluster. Refer to aaa for details. The default is disabled (no roles).

For example:

(config) # tacacs-server extra-user-params roles enable

host <IPv4/IPv6 address or hostname>

Specifies the IP address (IPv4 or IPv6) or the hostname of the TACACS+ server.

The same IP address can be used for more than one TACACS+ server so long as they use different auth-port values.

Examples:

(config) # tacacs-server host 192.168.0.93

(config) # tacacs-server host 2001:db8:a0b:12f0::11 key gigamon enable

(config) # tacacs-server host www.MyCo.com

 

auth-port <port-number>

Specifies the UDP port number on which the TACACS+ server is running. If included, the auth-port must be specified immediately after the host IP address. If not specified, the port is set to the default TACACS+ port number of 49.

For example:

(config) # tacacs-server host 192.168.0.93 auth-port 50

 

auth-type <ascii | pap>

Specifies whether this TACACS+ server uses ASCII or PAP authentication. The default is PAP.

For example:

(config) # tacacs-server host 192.168.0.93 auth-type ascii

 

enable

Administratively enables the TACACS+ server.

For example:

(config) # tacacs-server host 192.168.0.93 enable

 

shared-secret <string>

Specifies the shared secret text string to be used for encryption of authentication packets sent between the GigaVUE H Series node and this specific TACACS+ server. The key specified here overrides the global value specified in the tacacs-server shared secret command.

For example:

(config) # tacacs-server host 192.168.0.93 shared-secret mykey2

 

prompt-secret

Requires the user to enter the shared secret text string during login. This option is mutually exclusive with the shared-secret option.

For example:

(config) # tacacs-server host 192.168.0.93 prompt-secret

 

retransmit <retries>

Specifies the number of times the GigaVUE H Series node will attempt to authenticate with this specific TACACS+ server. The retransmit value specified here overrides the global value specified in the tacacs-server retransmit command.

The default is 1. The range is from 0 to 5. Use 0 to disable retransmissions.

For example:

(config) # tacacs-server host 192.168.0.93 retransmit 3

 

timeout <seconds>

Specifies how long the GigaVUE H Series node should wait for a response from this specific TACACS+ server to an authentication request before declaring a timeout failure. The timeout value specified here overrides the global value specified in the tacacs-server timeout command.

The default is 3 seconds. The range is from 0 to 60 seconds.

For example:

(config) # tacacs-server host 192.168.0.93 timeout 45

shared-secret <string>

Specifies a global shared secret text string to be used for encryption of authentication packets sent between the GigaVUE H Series node and all TACACS+ servers. This key can be overridden with the key specified in the tacacs-server host command.

For example:

(config) # tacacs-server shared-secret mykey

retransmit <retries>

Specifies a global value for the number of times the GigaVUE H Series node will attempt to authenticate with a TACACS+ server. This retransmit value can be overridden with the retransmit value specified in the tacacs-server host command.

The default is 1. The range is from 0 to 5. Zero (0 ) disables retransmissions.

For example:

(config) # tacacs-server retransmit 5

service <gigamon | shell>

Specifies the authorization service that will be used for TACACS. By default, this is set to shell, which works for Cisco ACS 3.x. You must set it to gigamon for successful integration with Cisco ACS 5.3 or later. The gigamon setting also works for ACS 3.x. This is a global command.

For example:

(config) # tacacs-server service gigamon

timeout <seconds>

Specifies a global value for how long the GigaVUE H Series node should wait for a response from the TACACS+ server to an authentication request before declaring a timeout failure. This timeout value can be overridden with the timeout value specified in the tacacs-server host command.

The default is 3 seconds. The range is from 0 to 60 seconds.

For example:

(config) # tacacs-server timeout 30

Related Commands

The following table summarizes other commands related to the tacacs-server command:

Task

Command

Displays TACACS+ servers and settings.

# show tacacs

Disables handling of extra user parameters sent from the TACACS+ server.

(config) # no tacacs-server extra-user-params roles enable

Deletes a TACACS+ host with the specified IPv4 or IPv6 address, or hostname.

(config) # no tacacs-server host 1.1.1.1

(config) # no tacacs-server host www.MyCo.com

Deletes a TACACS+ host on a specified port.

(config) # no tacacs-server host 1.1.1.1 auth-port 234

Administratively disables the TACACS+ host.

(config) # no tacacs-server host 1.1.1.1 auth-port 234 enable

Administratively disables the TACACS+ host on the default port.

(config) # no tacacs-server host 1.1.1.1 enable

Deletes the global TACACS+ server shared secret.

(config) # no tacacs-server shared-secret

Resets the global TACACS+ server retransmit count to the default.

(config) # no tacacs-server retransmit

Resets the global TACACS+ server timeout settings to the default.

(config) # no tacacs-server timeout