KB.15.15

NOTE: Encryption keys configured in the switch must exactly match the encryption keys configured

in TACACS+ servers the switch will attempt to use for authentication.

If you configure a global encryption key, the switch uses it only with servers for which you have

not also configured a server-specific key. Thus, a global key is more useful where the TACACS+

servers you are using all have an identical key, and server-specific keys are necessary where

different TACACS+ servers have different keys.

If TACACS+ server “X” does not have an encryption key assigned for the switch, then configuring

either a global encryption key or a server-specific key in the switch for server “X” will block

authentication support from server “X”.

Viewing

Viewing the current authentication configuration

This command lists the number of login attempts the switch allows in a single login session, and

the primary/secondary access methods configured for each type of access.

Syntax:

show authentication

This example shows the default authentication configuration.

Figure 100 Example listing of the switch authentication configuration

Viewing the current TACACS+ server contact configuration

Syntax:

show tacacs

This command lists the timeout period, encryption key, and the IP addresses of the

first-choice and backup TACACS+ servers the switch can contact.

For the 3800, 5400zl, and 8200zl switches, when the switch is in enhanced secure

mode, you are prompted about displaying sensitive information before the command

is executed. See Secure Mode (3800, 5400zl, and 8200zl Switches).

Example

If the switch is configured for a first-choice and two backup TACACS+ server

addresses, the default timeout period, and paris-1 for a (global) encryption key,

show tacacs produces a listing similar to the following:

130 TACACS+ Authentication