Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

121

122

123

124

125

126

127

128

129

130

112 ServerIron ADX Administration Guide

53-1002434-01

Configuring TACACS or TACACS+ security

Specifying different servers for individual AAA functions

In a TACACS+ configuration, you can designate a server to handle a specific AAA task. For example,

you can designate one TACACS+ server to handle authorization and another TACACS+ server to

handle accounting. You can set the TACACS+ key for each server.

To specify different TACACS+ servers for authentication, authorization, and accounting, enter

commands such as the following.

ServerIronADX(config)# tacacs-server host 1.2.3.4 auth-port 49

authentication-only key abc

ServerIronADX(config)# tacacs-server host 1.2.3.5 auth-port 49 authorization-only

key def

ServerIronADX(config)# tacacs-server host 1.2.3.6 auth-port 49 accounting-only

key ghi

Syntax: tacacs-server host <ip-addr> | <server-name> [authentication-only | authorization-only |

accounting-only | default] [key <string>]

The default parameter causes the server to be used for all AAA functions.

After authentication takes place, the server that performed the authentication is used for

authorization or accounting. If the authenticating server cannot perform the requested function,

then the next server in the configured list of servers is tried; this process repeats until a server that

can perform the requested function is found, or every server in the configured list has been tried.

Setting optional TACACS or TACACS+ parameters

You can set the following optional parameters in a TACACS or TACACS+ configuration:

• TACACS+ key – This parameter specifies the value that the ServerIron sends to the TACACS+

server when trying to authenticate user access.

• Retransmit interval – This parameter specifies how many times the ServerIron will resend an

authentication request when the TACACS or TACACS+ server does not respond. The retransmit

value can be from 1 – 5 times. The default is 3 times.

• Dead time – This parameter specifies how long the ServerIron waits for the primary

authentication server to reply before deciding the server is dead and trying to authenticate

using the next server. The dead-time value can be from 1 – 5 seconds. The default is 3

seconds.

• Timeout – This parameter specifies how many seconds the ServerIron waits for a response

from a TACACS or TACACS+ server before either retrying the authentication request, or

determining that the TACACS or TACACS+ servers are unavailable and moving on to the next

authentication method in the authentication-method list. The timeout can be from 1 – 15

seconds. The default is 3 seconds.

Setting the TACACS+ key

NOTE

The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers. If you are

configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the

ServerIron.

To specify a TACACS+ server key, enter a command such as the following.