Command Reference Guide
Error! Use the Home tab to apply 見出し 1 to the text that you want to appear here. 89
TACACS+ server configuration
TACACS+ (Terminal Access Controller Access Control System) is an authentication protocol that allows a
remote access server to forward a user's logon password to an authentication server to determine
whether access can be allowed to a given system. TACACS+ and Remote Authentication Dial-In User
Service (RADIUS) protocols are more secure than the TACACS encryption protocol. TACACS+ is described
in RFC 1492.
TACACS+ protocol is more reliable than RADIUS, as TACACS+ uses the Transmission Control Protocol (TCP)
whereas RADIUS uses the User Datagram Protocol (UDP). Also, RADIUS combines authentication and
authorization in a user profile, whereas TACACS+ separates the two operations.
TACACS+ offers the following advantages over RADIUS as the authentication device:
TACACS+ is TCP-based, so it facilitates connection-oriented traffic.
It supports full-packet encryption, as opposed to password-only in authentication requests.
It supports decoupled authentication, authorization, and accounting.
The following table describes the TACACS+ Server Configuration commands.
Table 81 TACACS+ Server Configuration commands
Command
Description
[no] tacacs-server primary-host <IP
address> {data-port|mgt-port} key
<1-32 characters>
Defines the primary TACACS+ server address.
Command mode: Global configuration
[no] tacacs-server secondary-host
<IP address> {data-port|mgt-port}
key <1-32 characters>
Defines the primary or secondary shared secret between
the switch and the TACACS+ server(s).
Command mode: Global configuration
tacacs-server port <TACACS+ port
number>
Enter the number of the TCP port to be configured,
between 1 - 65000. The default is 49.
Command mode: Global configuration
tacacs-server retransmit <1-3>
Sets the number of failed authentication requests before
switching to a different TACACS+ server. The range is 1-3
requests. The default is 3 requests.
Command mode: Global configuration
tacacs-server timeout <4-15>
Sets the amount of time, in seconds, before a TACACS+
server authentication attempt is considered to have
failed. The range is 4-15 seconds. The default is 5 seconds.
Command mode: Global configuration
[no] tacacs-server telnet-backdoor
Enables or disables the TACACS+ back door for telnet. The
telnet command also applies to SSH/SCP connections
and the Browser-based Interface (BBI). The default is
disabled. This command does not apply when secure
backdoor (secbd) is enabled.
Command mode: Global configuration
[no] tacacs-server secure-backdoor
Enables or disables the TACACS+ back door using secure
password for telnet/SSH/ HTTP/HTTPS. The default is
disabled. This command does not apply when backdoor
(telnet) is enabled.
Command mode: Global configuration
[no] tacacs-server privilege-mapping
Enables or disables TACACS+ privilege-level mapping.
The default value is disabled.
Command mode: Global configuration
[no] tacacs-server user-mapping <0-
15> {user|oper|admin}
Maps a TACACS+ authorization level to this switch user
level. Enter a TACACS+ privilege level (0-15), followed by
the corresponding the user level (user, oper, admin).
Command mode: Global configuration
tacacs-server enable
Enables the TACACS+ server.
Command mode: Global configuration
no tacacs-server enable
Disables the TACACS+ server. This is the default.
Command mode: Global configuration
show tacacs-server
Displays current TACACS+ configuration parameters.
Command mode: All except User EXEC