TACACS+ Configuration Command Directory

debug tacacs

ip tacacs source-interface

tacacs server

tacacs key

tacacs timeout

This chapter describes the commands for configuring TACACS+ security protocols. TACACS+ can be used for authenticating the identity of the user, authorization of service authority and the accounting of the execution process of user service.

debug tacacs

The command “debug tacacs can be used for tracing TACACS+protocol event or checking the packets received or sent. The “no” format of the command can be used for canceling the trace.

debug tacacs {event | packet}

no debug tacacs {event | packet}

parameter:

event: Tracing TACACS+ event

packet: Tracing TACACS+ packet.

default:

 Closing debug information

command mode:

supervisor

explanation:

 The command is only used for the debugging of the network to find out the cause of failure of AAA service.

Example:

The following Example will open the event trace of TACACS+

debug tacacs event

relevant commands:

none

ip tacacs source-interface

The global configuration command “ip tacacs source-interface is used for applying IP address of the designated interface to all the TACACS packets. The “no” format of the command cancel the using of the IP address.

ip tacacs source-interface subinterface-name

no ip tacacs source-interface

parameter:

subinterface-nameInterface name corresponding to the source IP address of all TACACS+ packets.

default:

none

command mode:

global configuration mode

explanation:

The command can be used to set source IP address for all TACACSpackets by designating the source interface. So long as the interface is under “up” state, all TACACS+ packets will use IP address of the interface as the source address, thus ensuring that TACACS+ packet of each router will have the same source IP address. So TACACSserver will not need to maintain the address list containing the IP address. That is to say, in order to ensure all TACACSpackets coming from the specific router to have the same source IP address, the command will work when the router has many interfaces.

The designated interface shall have the IP address linked to the interface. If the designated interface has no IP address or is under a “down” state, the default value will be restored, namely the source IP address shall be determined on the real condition. In order to avoid the case, the IP address shall be added to the interface and the interface shall be ensured under the “up” state.

 

Example:

The following Example will use IP address of the interface s1/0 as source IP address of all TACACS+ packets.

ip tacacs source-interface s1/0

relevant commands:

ip radius source-interface

 

tacacs server

The global configuration command tacacs server is used for designating TACACSserver. The “no” format of the command is used for deleting the designated server.

tacacs server ip-address  [single-connection|multi-connection] [port integer1] [timeout integer2] [key string]

no tacacs serve ip-address

parameter:

ip-address

IP address of server

  single-connection                 

(optional) Designating router to maintain the single and open TCP connection for the confirmation from AAA/TACACS+server.

multi-connection

(Optional) Designating router to maintain the different TCP connection for the different confirmation from AAA/TACACS+server

port

(optional) Designating port number of server. The option covers the default port number 49.

integer1                  

(optional) The port number of server. The range of valid port number is 1 to 65536.

timeout

(optional) Designating the timeout of waiting for server response. It will cover the global timeout set for the server by using the command “tacacs timeout” 

integer2

(optional) Setting the value of timeout timer. It is calculated on second. 

default:

 No TACACSserver is designated.

command mode:

global configuration mode

explanation:

Use multiple commands of “tacacs server to designate multiple hosts and searching the hosts on the designated order. As some parameters of the commands of tacacs server will cover the global configuration set by the command tacacs timeout and tacacs key, the command can be used to configure the communication attribute of each TACACS+server exclusively so as to advance the security of the network. Example:

The Example below designates the negotiation between the router and TACACS+server whose IP address is 1.1.1.1 so as to make AAA authentication, and designates TCP service port number 51, sets the value of timeout 3 seconds. The encryption key is a_secret.

tacacs server 1.1.1.1 single-connection port 51 timeout 3 key a_secret

relevant commands:

tacacs key

tacacs timeout

tacacs key

The global configuration command “tacacs key” shall be used for setting the encryption key used by all communication process between the router and TACACS+server. The “no” format of the command is used for closing the encryption key.

tacacs key key

no tacacs key

parameter:

 keyused for setting the secret key for encryption. The secret key shall match with the one used by the program of TACACS+server. 

command mode:

global configuration mode

explanation:

The command “tacacs key shall be used for setting encryption key before TACACS+protocol is running. The entered secret key shall match with the one used by the service program of TACACS+. All the drive-head blanks are ignored and the secret key contains no blank.

 

Example:

The example below sets encryption key as testkey:

tacacs key testkey

relevant commands:

tacacs server

tacacs timeout

The command “tacacs timeout can be used to set the length of timeout for TACACS+ to wait for the response from some server. The no format of the command can be used for restoring default value.

tacacs timeout seconds

no tacacs timeout

parameter:

seconds The value of timeout calculated on second (between 1 to 600). The default value is 5 seconds.

default:

 5 seconds

command mode:

global configuration mode

explanation:

If some server sets its own timeout value of waiting through the parameter in the command tacacs server, the value will cover the global timeout value set by this command.

Example:

The Example below changes the value of timeout timer as 10 seconds.

tacacs timeout 10

relevant commands:

tacacs server