Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

121

122

123

124

125

126

127

128

129

130

ServerIron ADX Administration Guide 111

53-1002434-01

Configuring TACACS or TACACS+ security

1. Identify TACACS+ servers. Refer to “Identifying the TACACS or TACACS+ servers” on page 111.

2. Set optional parameters. Refer to “Setting optional TACACS or TACACS+ parameters” on

page 112.

3. Configure authentication-method lists. Refer to “Configuring authentication-method lists for

TACACS or TACACS+” on page 114.

4. Optionally configure TACACS+ authorization. Refer to “Configuring TACACS+ authorization” on

page 116.

5. Optionally configure TACACS+ accounting. Refer to “Configuring TACACS+ accounting” on

page 119.

Identifying the TACACS or TACACS+ servers

To use TACACS or TACACS+ servers to authenticate access to a ServerIron, you must identify the

servers to the ServerIron device.

Example To identify three TACACS or TACACS+ servers

ServerIronADX(config)# tacacs-server host 207.94.6.161

ServerIronADX(config)# tacacs-server host 207.94.6.191

ServerIronADX(config)# tacacs-server host 207.94.6.122

Syntax: tacacs-server <ip-addr>|<hostname> [auth-port <number>]

The <ip-addr>|<hostname> parameter specifies the IP address or host name of the server. You

can enter up to eight tacacs-server host commands to specify up to eight different servers.

NOTE

To specify the server's host name instead of its IP address, you must first identify a DNS server using

the ip dns server-address <ip-addr> command at the global CONFIG level.

If you add multiple TACACS or TACACS+ authentication servers to the ServerIron, it tries to reach

them in the order you add them. For example, if you add three servers in the following order, the

software tries the servers in the same order.

1. 207.94.6.161

2. 207.94.6.191

3. 207.94.6.122

You can remove a TACACS or TACACS+ server by entering no followed by the tacacs-server

command. For example, to remove 207.94.6.161, enter the following command.

ServerIronADX(config)# no tacacs-server host 207.94.6.161

NOTE

If you erase a tacacs-server command (by entering “no” followed by the command), make sure you

also erase the aaa commands that specify TACACS or TACACS+ as an authentication method. (Refer

to “Configuring authentication-method lists for TACACS or TACACS+” on page 114.) Otherwise, when

you exit from the CONFIG mode or from a Telnet session, the system continues to believe it is TACACS

or TACACS+ enabled and you will not be able to access the system.

The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of the

authentication port on the server. The default port number is 49.