Configuring authentication-method lists for, Tacacs/tacacs, Setting the retransmission limit – Brocade TurboIron 24X Series Configuration Guide User Manual

92

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Configuring TACACS/TACACS+ security

When you display the configuration of the device, the TACACS+ keys are encrypted. For example.

TurboIron(config)#tacacs-server key 1 abc

TurboIron(config)#write terminal

...

tacacs-server host 10.2.3.5 auth-port 49

tacacs key 1 $!2d

NOTE

Encryption of the TACACS+ keys is done by default. The 0 parameter disables encryption. The 1
parameter is not required; it is provided for backwards compatibility.

Setting the retransmission limit

The retransmit parameter specifies how many times the device will resend an authentication
request when the TACACS/TACACS+ server does not respond. The retransmit limit can be from 1 –
5 times. The default is 3 times.

To set the TACACS/TACACS+ retransmit limit, enter a command such as the following.

TurboIron(config)#tacacs-server retransmit 5

Syntax: tacacs-server retransmit <number>

Setting the timeout parameter

The timeout parameter specifies how many seconds the device waits for a response from the
TACACS/TACACS+ server before either retrying the authentication request, or determining that the
TACACS/TACACS+ server is unavailable and moving on to the next authentication method in the
authentication-method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds.

TurboIron(config)#tacacs-server timeout 5

Syntax: tacacs-server timeout <number>

Configuring authentication-method lists for TACACS/TACACS+

You can use TACACS/TACACS+ to authenticate Telnet/SSH access and access to Privileged EXEC
level and CONFIG levels of the CLI. When configuring TACACS/TACACS+ authentication, you create
authentication-method lists specifically for these access methods, specifying TACACS/TACACS+ as
the primary authentication method.

Within the authentication-method list, TACACS/TACACS+ is specified as the primary authentication
method and up to six backup authentication methods are specified as alternates. If
TACACS/TACACS+ authentication fails due to an error, the device tries the backup authentication
methods in the order they appear in the list.

When you configure authentication-method lists for TACACS/TACACS+ authentication, you must
create a separate authentication-method list for Telnet/SSH CLI access, and for access to the
Privileged EXEC level and CONFIG levels of the CLI.

To create an authentication method list that specifies TACACS/TACACS+ as the primary
authentication method for securing Telnet/SSH access to the CLI.

TurboIron(config)#enable telnet authentication

TurboIron(config)#aaa authentication login default tacacs local