Quick Reference Guide
PowerConnect B-Series TI24X Configuration Guide 883
53-1002269-02
Configuring TACACS/TACACS+ security
26
Specifying different servers for individual AAA functions
In a TACACS+ configuration, you can designate a server to handle a specific AAA task. For example,
you can designate one TACACS+ server to handle authorization and another TACACS+ server to
handle accounting. You can set the TACACS+ key for each server.
To specify different TACACS+ servers for authentication, authorization, and accounting, enter the
command such as following.
Syntax: tacacs-server host <ip-addr> | <ipv6-addr> | <server-name> [auth-port <num>]
[authentication-only | authorization-only | accounting-only | default] [key 0 | 1 <string>]
The default parameter causes the server to be used for all AAA functions.
After authentication takes place, the server that performed the authentication is used for
authorization and accounting. If the authenticating server cannot perform the requested function,
then the next server in the configured list of servers is tried; this process repeats until a server that
can perform the requested function is found, or every server in the configured list has been tried.
Setting optional TACACS/TACACS+ parameters
You can set the following optional parameters in a TACACS/TACACS+ configuration:
• TACACS+ key – This parameter specifies the value that the device sends to the TACACS+ server
when trying to authenticate user access.
• Retransmit interval – This parameter specifies how many times the device will resend an
authentication request when the TACACS/TACACS+ server does not respond. The retransmit
value can be from 1 – 5 times. The default is 3 times.
• Dead time – This parameter specifies how long the device waits for the primary authentication
server to reply before deciding the server is dead and trying to authenticate using the next
server. The dead-time value can be from 1 – 5 seconds. The default is 3 seconds.
• Timeout – This parameter specifies how many seconds the device waits for a response from a
TACACS/TACACS+ server before either retrying the authentication request, or determining that
the TACACS/TACACS+ servers are unavailable and moving on to the next authentication
method in the authentication-method list. The timeout can be from 1 – 15 seconds. The
default is 3 seconds.
• TACACS/TACACS+ over IPv6 – This parameter enables the device to send TACACS/TACACS+
packets over IPv6.
Setting the TACACS+ key
The key parameter in the tacacs-server command is used to encrypt TACACS+ packets before they
are sent over the network. The value for the key parameter on the device should match the one
configured on the TACACS+ server. The key can be from 1 – 32 characters in length and cannot
include any space characters.
PowerConnect(config)# tacacs-server host 1.2.3.4 auth-port 49
authentication-only key abc
PowerConnect(config)# tacacs-server host 1.2.3.5 auth-port 49 authorization-only
key def
PowerConnect(config)# tacacs-server host 1.2.3.6 auth-port 49 accounting-only
key ghi