Setting optional tacacs/tacacs+ parameters, Setting the tacacs+ key – Brocade TurboIron 24X Series Configuration Guide User Manual

Brocade TurboIron 24X Series Configuration Guide

91

53-1003053-01

Configuring TACACS/TACACS+ security

Syntax: tacacs-server host <ip-addr> | <ipv6-addr> | <server-name> [auth-port <num>]

[authentication-only | authorization-only | accounting-only | default] [key 0 | 1 <string>]

The default parameter causes the server to be used for all AAA functions.

After authentication takes place, the server that performed the authentication is used for
authorization and accounting. If the authenticating server cannot perform the requested function,
then the next server in the configured list of servers is tried; this process repeats until a server that
can perform the requested function is found, or every server in the configured list has been tried.

Setting optional TACACS/TACACS+ parameters

You can set the following optional parameters in a TACACS/TACACS+ configuration:

•

TACACS+ key – This parameter specifies the value that the device sends to the TACACS+ server
when trying to authenticate user access.

•

Retransmit interval – This parameter specifies how many times the device will resend an
authentication request when the TACACS/TACACS+ server does not respond. The retransmit
value can be from 1 – 5 times. The default is 3 times.

•

Dead time – This parameter specifies how long the device waits for the primary authentication
server to reply before deciding the server is dead and trying to authenticate using the next
server. The dead-time value can be from 1 – 5 seconds. The default is 3 seconds.

•

Timeout – This parameter specifies how many seconds the device waits for a response from a
TACACS/TACACS+ server before either retrying the authentication request, or determining that
the TACACS/TACACS+ servers are unavailable and moving on to the next authentication
method in the authentication-method list. The timeout can be from 1 – 15 seconds. The
default is 3 seconds.

•

TACACS/TACACS+ over IPv6 – This parameter enables the device to send TACACS/TACACS+
packets over IPv6.

Setting the TACACS+ key

The key parameter in the tacacs-server command is used to encrypt TACACS+ packets before they
are sent over the network. The value for the key parameter on the device should match the one
configured on the TACACS+ server. The key can be from 1 – 32 characters in length and cannot
include any space characters.

NOTE

The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers. If you are
configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the
device.

To specify a TACACS+ server key, enter a command such as following.

TurboIron(config)#tacacs-server key rkwong

Syntax: tacacs-server key [0 | 1] <string>

TurboIron(config)#tacacs-server host 10.2.3.4 auth-port 49 authentication-only

key abc

TurboIron(config)#tacacs-server host 10.2.3.5 auth-port 49 authorization-only

key def

TurboIron(config)#tacacs-server host 10.2.3.6 auth-port 49 accounting-only key

ghi