Enabling tacacs, Identifying the tacacs/tacacs+ servers – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 51

Advertising
background image

Brocade ICX 6650 Security Configuration Guide

31

53-1002601-01

TACACS and TACACS+ security

Enabling TACACS

TACACS is disabled by default. To configure TACACS/TACACS+ authentication parameters, you must
enable TACACS by entering the following command.

Brocade(config)# enable snmp config-tacacs

Syntax: [no] enable snmp config-radius | config-tacacs

The config-radius parameter specifies the RADIUS configuration mode. RADIUS is disabled by
default.

The config-tacacs parameter specifies the TACACS configuration mode. TACACS is disabled by
default.

Identifying the TACACS/TACACS+ servers

To use TACACS/TACACS+ servers to authenticate access to a Brocade device, you must identify the
servers to the Brocade device.

For example, to identify three TACACS/TACACS+ servers, enter commands such as the following.

Brocade(config)# tacacs-server host 10.94.6.161
Brocade(config)# tacacs-server host 10.94.6.191
Brocade(config)# tacacs-server host 10.94.6.122

Syntax: tacacs-server host ip-addr | ipv6-addr | hostname [auth-port umber]

The ip-addr|ipv6-addr|hostname parameter specifies the IP address or host name of the server.
You can enter up to eight tacacs-server host commands to specify up to eight different servers.

NOTE

To specify the server's host name instead of its IP address, you must first identify a DNS server using
the ip dns server-address ip-addr command at the global CONFIG level.

If you add multiple TACACS/TACACS+ authentication servers to the Brocade device, the device tries
to reach them in the order you add them. For example, if you add three servers in the following
order, the software tries the servers in the same order.

1. 10.94.6.161

2. 10.94.6.191

3. 10.94.6.122

You can remove a TACACS/TACACS+ server by entering no followed by the tacacs-server command.
For example, to remove 10.94.6.161, enter the following command.

Brocade(config)# no tacacs-server host 10.94.6.161

NOTE

If you erase a tacacs-server command (by entering “no” followed by the command), make sure you
also erase the aaa commands that specify TACACS/TACACS+ as an authentication method. (Refer
to

“Configuring authentication-method lists for TACACS and TACACS+”

on page 34.) Otherwise, when

you exit from the CONFIG mode or from a Telnet session, the system continues to believe it is
TACACS/TACACS+ enabled and you will not be able to access the system.

Advertising
Popular Brands
Popular manuals