TACACS+ Configuration Command Directory
The command “debug tacacs” can be used for tracing TACACS+protocol event or checking the packets received or sent. The “no”
format of the command can be used for canceling the trace.
debug tacacs {event | packet}
no debug tacacs {event | packet}
event:
Tracing TACACS+ event
packet: Tracing TACACS+ packet.
Closing
debug information
supervisor
The
command is only used for the debugging of the network to find out the cause of
failure of AAA service.
The following Example will open the event trace of TACACS+
debug tacacs event
none
The
global configuration command “ip tacacs source-interface” is used for
applying IP address of the designated interface to all the TACACS+ packets. The “no” format of the command
cancel the using of the IP address.
ip tacacs source-interface subinterface-name
no ip tacacs
source-interface
subinterface-name:Interface name corresponding to the source IP address of all TACACS+
packets.
none
global configuration mode
The
command can be used to set source IP address for all TACACS+packets by designating the source interface.
So long as the interface is under “up” state, all TACACS+ packets will use IP address of the interface as the source address,
thus ensuring that TACACS+ packet of each router will have the same source IP
address. So TACACS+server will not need to maintain the
address list containing the IP address. That is to say, in order to ensure all TACACS+packets coming from the specific router to
have the same source IP address, the command will work when the router has many
interfaces.
The
designated interface shall have the IP address linked to the interface. If the
designated interface has no IP address or is under a “down” state, the default
value will be restored, namely the source IP address shall be determined on the
real condition. In order to avoid the case, the IP address shall be added to
the interface and the interface shall be ensured under the “up” state.
Example:
The following Example will use IP address
of the interface s1/0
as source IP address of all TACACS+ packets.
ip tacacs source-interface
s1/0
The
global configuration command “tacacs server” is used for designating TACACS+server. The “no” format of the command is used for deleting the designated
server.
tacacs
server ip-address [single-connection|multi-connection] [port integer1] [timeout integer2] [key string]
no tacacs serve ip-address
ip-address: |
IP address of server |
single-connection:
|
(optional) Designating router to
maintain the single and open TCP connection for the confirmation from
AAA/TACACS+server. |
multi-connection: |
(Optional) Designating router to
maintain the different TCP connection for the different confirmation from
AAA/TACACS+server |
port: |
(optional) Designating port number of
server. The option covers the default port number 49. |
integer1:
|
(optional) The port number of server.
The range of valid port number is 1 to 65536. |
timeout: |
(optional) Designating the timeout of
waiting for server response. It will cover the global timeout set for the
server by using the command “tacacs timeout” |
integer2: |
(optional) Setting the value of timeout
timer. It is calculated on second.
|
No
TACACS+server is designated.
global configuration mode
Use multiple commands of
“tacacs server” to designate multiple hosts and searching
the hosts on the designated order. As some parameters of the commands of “tacacs server” will cover the global configuration set by the command “tacacs timeout” and “tacacs key”, the command can be used to configure the
communication attribute of each TACACS+server
exclusively so as to advance the security of the network. Example:
The Example below designates the negotiation between the router and TACACS+server whose IP address is 1.1.1.1 so as to make AAA authentication, and designates TCP service port number 51, sets the value of timeout 3 seconds. The encryption key is “a_secret”.
tacacs server 1.1.1.1
single-connection port 51 timeout 3 key a_secret
The global configuration command “tacacs
key” shall be used for setting the encryption key used by all communication
process between the router and TACACS+server. The “no” format of the command is
used for closing the encryption key.
tacacs
key key
no
tacacs key
key:used for setting the secret key
for encryption. The secret key shall match with the one used by the program of TACACS+server.
global
configuration mode
The command “tacacs key” shall be used for setting encryption key before TACACS+protocol is running. The entered secret key shall match with the one
used by the service program of TACACS+. All the drive-head blanks are ignored and the secret key contains
no blank.
The example below sets encryption key as “testkey”:
tacacs key testkey
The command “tacacs timeout” can be used to set the length of timeout
for TACACS+ to wait for the response from some server. The “no” format of the command can be used for restoring default value.
tacacs
timeout seconds
no
tacacs timeout
seconds: The
value of timeout calculated on second (between 1 to 600). The default value is
5 seconds.
5 seconds
global
configuration mode
If some server sets its own timeout value of
waiting through the parameter in the command “tacacs server”, the value will cover the global
timeout value set by this command.
The Example below
changes the value of timeout timer as 10 seconds.
tacacs timeout 10