Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

201

202

203

204

205

206

207

208

209

210

146 FastIron Configuration Guide

53-1002494-02

TACACS and TACACS+ security

Enabling TACACS

TACACS is disabled by default. To configure TACACS/TACACS+ authentication parameters, you must

enable TACACS by entering the following command.

Brocade(config)#enable snmp config-tacacs

Syntax: [no] enable snmp <config-radius | config-tacacs>

The <config-radius> parameter specifies the RADIUS configuration mode. RADIUS is disabled by

default.

The <config-tacacs> parameter specifies the TACACS configuration mode. TACACS is disabled by

default.

Identifying the TACACS/TACACS+ servers

To use TACACS/TACACS+ servers to authenticate access to a Brocade device, you must identify the

servers to the Brocade device.

For example, to identify three TACACS/TACACS+ servers, enter commands such as the following.

Brocade(config)#tacacs-server host 207.94.6.161

Brocade(config)#tacacs-server host 207.94.6.191

Brocade(config)#tacacs-server host 207.94.6.122

Syntax: tacacs-server host <ip-addr> | <ipv6-addr> | <hostname> [auth-port <number>]

The <ip-addr>|<ipv6-addr>|<hostname> parameter specifies the IP address or host name of the

server. You can enter up to eight tacacs-server host commands to specify up to eight different

servers.

NOTE

To specify the server's host name instead of its IP address, you must first identify a DNS server using

the ip dns server-address <ip-addr> command at the global CONFIG level.

If you add multiple TACACS/TACACS+ authentication servers to the Brocade device, the device tries

to reach them in the order you add them. For example, if you add three servers in the following

order, the software tries the servers in the same order.

1. 207.94.6.161

2. 207.94.6.191

3. 207.94.6.122

You can remove a TACACS/TACACS+ server by entering no followed by the tacacs-server command.

For example, to remove 207.94.6.161, enter the following command.

Brocade(config)#no tacacs-server host 207.94.6.161

NOTE

If you erase a tacacs-server command (by entering “no” followed by the command), make sure you

also erase the aaa commands that specify TACACS/TACACS+ as an authentication method. (Refer

to “Configuring authentication-method lists for TACACS and TACACS+” on page 149.) Otherwise,

when you exit from the CONFIG mode or from a Telnet session, the system continues to believe it is

TACACS/TACACS+ enabled and you will not be able to access the system.