Reference Guide
TACACS+ provides greater data security by encrypting the entire protocol portion in a packet sent from the switch to an authentication
server. RADIUS encrypts only passwords.
• Congure a TACACS+ authentication server in CONFIGURATION mode. By default, a TACACS+ server uses TCP port 49 for
authentication.
tacacs-server host {hostname | ip-address} key authentication-key [auth-port port-number]
Re-enter the tacacs-server host command multiple times to congure more than one TACACS+ server. If you congure multiple
TACACS+ servers, OS10 attempts to connect in the order you congured them. An OS10 switch connects with the congured TACACS+
servers one at a time, until a RADIUS server responds with an accept or reject response.
Congure the global timeout used on all TACACS+ servers by using the tacacs-server timeout command. By default, OS10 times
out an authentication attempt on a TACACS+ server after ve seconds.
• Enter the timeout value used to wait for an authentication response from TACACS+ servers in CONFIGURATION mode (1 to 1000
seconds; default 5).
tacacs-server timout seconds
Congure TACACS+ server
OS10(config)# tacacs-server host 1.2.4.5 key mysecret
View TACACS+ server conguration
OS10# show running-configuration
...
tacacs-server host 1.2.4.5 key mysecret
...
Delete TACACS+ server
OS10# no tacacs server host 1.2.4.5
SSH Server
The secure shell (SSH) server allows an SSH client to access an OS10 switch through a secure, encrypted connection.
Congure SSH server
• The SSH server is enabled by default. You can disable the SSH server using no ip ssh server enable.
• Challenge response authentication is disabled by default. To enable, use the ip ssh server challenge-response-
authentication
command.
• Host-based authentication is disabled by default. To enable, use the ip ssh server hostbased-authentication command.
• Password authentication is enabled by default. To disable, use the no ip ssh server password-authentication command.
• Public key authentication is enabled by default. To disable, use the no ip ssh server pubkey-authentication command.
• Congure the list of cipher algorithms using ip ssh server cipher cipher-list.
• Congure Key Exchange algorithms using ip ssh server kex key-exchange-algorithm.
• Congure hash message authentication code (HMAC) algorithms using ip ssh server mac hmac-algorithm.
• Congure the SSH server listening port using ip ssh server port port-number.
• Congure the SSH server to be reachable on the management VRF using ip ssh server vrf.
• Congure the SSH login timeout using the ip ssh server login-grace-time seconds command (0 to 300; default 60). To
reset the default SSH prompt timer, enter no ip ssh server login-grace-time.
• Congure the maximum number of authentication attempts using the ip ssh server max-auth-tries number command (0
to 10; default 6). To reset the default, enter no ip ssh server max-auth-tries.
The max-auth-tries value includes all authentication attempts, including public-key and password. If both public-key based
authentication and password authentication are enabled, the public-key authentication is the default and is tried rst. If it fails, the
460
System management