Reference Guide

ManualsBrandsDell ManualsComputer equipmentNetworking Z9500

671

672

673

674

675

676

677

678

679

680

Monitoring TACACS+

To view information on TACACS+ transactions, use the following command.

● View TACACS+ transactions to troubleshoot problems.

EXEC Privilege mode

debug tacacs+

TACACS+ Remote Authentication and Authorization

The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access

and packet sizes.

If you have configured remote authorization, the system ignores the access class you have configured for the VTY line and gets

this access class information from the TACACS+ server. The system must know the username and password of the incoming

user before it can fetch the access class from the server. A user, therefore, at least sees the login prompt. If the access class

denies the connection, the system closes the Telnet session immediately.

The following example demonstrates how to configure the access-class from a TACACS+ server. This configuration ignores the

configured access-class on the VTY line. If you have configured a deny10 ACL on the TACACS+ server, the system downloads it

and applies it. If the user is found to be coming from the 10.0.0.0 subnet, the system also immediately closes the Telnet

connection. Note, that no matter where the user is coming from, they see the login prompt.

When configuring a TACACS+ server host, you can set different communication parameters, such as the key password.

Example of Specifying a TACACS+ Server Host

Dell#

Dell(conf)#

Dell(conf)#ip access-list standard deny10

Dell(conf-std-nacl)#permit 10.0.0.0/8

Dell(conf-std-nacl)#deny any

Dell(conf)#

Dell(conf)#aaa authentication login tacacsmethod tacacs+

Dell(conf)#aaa authentication exec tacacsauthorization tacacs+

Dell(conf)#tacacs-server host 25.1.1.2 key Force10

Dell(conf)#

Dell(conf)#line vty 0 9

Dell(config-line-vty)#login authentication tacacsmethod

Dell(config-line-vty)#authorization exec tacauthor

Dell(config-line-vty)#

Dell(config-line-vty)#access-class deny10

Dell(config-line-vty)#end

Specifying a TACACS+ Server Host

To specify a TACACS+ server host and configure its communication parameters, use the following command.

● Enter the host name or IP address of the TACACS+ server host.

CONFIGURATION mode

tacacs-server host {hostname | ip-address} [port port-number] [timeout seconds] [key key]

Configure the optional communication parameters for the specific host:

○ port port-number: the range is from 0 to 65335. Enter a TCP port number. The default is 49.

○ timeout seconds: the range is from 0 to 1000. Default is 10 seconds.

○ key key: enter a string for the key. The key can be up to 42 characters long. This key must match a key configured on

the TACACS+ server host. This parameter must be the last parameter you configure.

If you do not configure these optional parameters, the default global values are applied.

To specify multiple TACACS+ server hosts, configure the tacacs-server host command multiple times. If you configure

multiple TACACS+ server hosts, the system attempts to connect with them in the order in which they were configured.

To view the TACACS+ configuration, use the show running-config tacacs+ command in EXEC Privilege mode.

Security

675