Setting optional tacacs and tacacs+ parameters – Brocade BigIron RX Series Configuration Guide User Manual

Page 159

Advertising
background image

BigIron RX Series Configuration Guide

81

53-1002484-04

Configuring TACACS and TACACS+ security

3

If you add multiple TACACS and TACACS+ authentication servers to the device, the device tries to
reach them in the order you add them. For example, if you add three servers in the following order,
the software tries the servers in the same order.

1. 207.94.6.161

2. 207.94.6.191

3. 207.94.6.122

You can remove a TACACS and TACACS+ server by entering no followed by the tacacs-server
command. For example, to remove 207.94.6.161, enter the following command.

BigIron RX(config)# no tacacs-server host 207.94.6.161

NOTE

If you erase a tacacs-server command (by entering “no” followed by the command), make sure you
also erase the aaa commands that specify TACACS and TACACS+ as an authentication method.
(Refer to

“Configuring authentication-method lists for TACACS and TACACS+”

on page 83.)

Otherwise, when you exit from the CONFIG mode or from a Telnet session, the system continues to
believe it is TACACS and TACACS+ enabled and you will not be able to access the system.

The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of the
authentication port on the server. The default port number is 49.

Specifying different servers for individual AAA functions

In a TACACS+ configuration, you can designate a server to handle a specific AAA task. For example,
you can designate one TACACS+ server to handle authorization and another TACACS+ server to
handle accounting. You can set the TACACS+ key for each server.

To specify different TACACS+ servers for authentication, authorization, and accounting.

Syntax: tacacs-server host <ip-addr> | ipv6<ipv6-addr> | <server-name> [auth-port <number>

[authentication-only | authorization-only | accounting-only | default] [key <string>]]

The default parameter causes the server to be used for all AAA functions.

After authentication takes place, the server that performed the authentication is used for
authorization or accounting. If the authenticating server cannot perform the requested function,
then the next server in the configured list of servers is tried; this process repeats until a server that
can perform the requested function is found, or every server in the configured list has been tried.

Setting optional TACACS and TACACS+ parameters

You can set the following optional parameters in a TACACS and TACACS+ configuration:

TACACS+ key – This parameter specifies the value that the Brocade device sends to the
TACACS+ server when trying to authenticate user access.

BigIron RX(config)# tacacs-server host 1.2.3.4 auth-port 49 authentication-only

key abc

BigIron RX(config)# tacacs-server host 1.2.3.5 auth-port 49 authorization-only

key def

BigIron RX(config)# tacacs-server host 1.2.3.6 auth-port 49 accounting-only

key ghi

Advertising
Popular Brands
Popular manuals