Command Reference vA5(1.0) and earlier, Cisco ACE Application Control Engine
TACACS+ Configuration Mode Commands
Downloads: This chapterpdf (PDF - 59.0KB) The complete bookPDF (PDF - 28.65MB) | Feedback

TACACS+ Configuration Mode Commands

Table Of Contents

TACACS+ Configuration Mode Commands

(config-tacacs+) deadtime

(config-tacacs+) server


TACACS+ Configuration Mode Commands

TACACS+ configuration mode commands allow you to configure multiple Terminal Access Controller Access Control System Plus (TACACS+) servers as a named AAA server group. You can specify the IP address of one or more previously configured TACACS+ servers that you want added to or removed from a AAA server group, with a dead-time interval for the TACACS+ server group.

For details about creating a TACACS+ server group, see the Security Guide, Cisco ACE Application Control Engine.

To create a TACACS+ server group and access TACACS+ server configuration mode, enter the aaa group server tacacs+ command in configuration mode. The CLI prompt changes to (config-tacacs+). Use the no form of this command to remove a TACACS+ server group.

aaa group server tacacs+ group_name

no aaa group server tacacs+ group_name

Syntax Description

group_name

Name assigned to the group of TACACS+ servers. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.


Command Modes

Configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

The commands in this mode require the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.

A server group is a list of server hosts. The ACE allows you to configure multiple AAA servers as a named server group. You group the different AAA server hosts into distinct lists. The ACE searches for the server hosts in the order in which you specify them within a group. You can configure a maximum of 10 server groups for each context in the ACE.

You can configure server groups at any time, but you must enter the aaa authentication login or the aaa accounting default commands to apply the groups to the AAA service.

Examples

To create a TACACS+ server group, enter:

host1/Admin(config) aaa group server tacacs+ TACACS+_Server_Group1 
host1/Admin(config-tacacs+)# server 172.16.56.76
host1/Admin(config-tacacs+)# server 172.16.56.79
host1/Admin(config-tacacs+)# server 172.16.56.82

Related Commands

(config) aaa accounting default

(config) aaa authentication login

(config-tacacs+) deadtime

To specify a dead-time interval for the TACACS+ server group, use the deadtime command. Use the no form of this command to reset the TACACS+ server group dead-time request to the default of 0.

deadtime minutes

no deadtime minutes

Syntax Description

minutes

Length of time that the ACE skips a nonresponsive TACACS+ server for transaction requests. Valid entries are from 0 to 1440 (24 hours). The default is 0.


Command Modes

TACACS+ configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

During the dead-time interval, the ACE sends probe access-request packets to verify that the TACACS+ server is available and can receive authentication requests. The dead-time interval starts when the server does not respond to an authentication request transmission. When the server responds to a probe access-request packet, the ACE retransmits the authentication request to the server.

Use of the deadtime command causes the ACE to mark as dead any TACACS+ servers that fail to respond to authentication requests. Using this command prevents the wait for the request to time out before trying the next configured server. The ACE skips a TACACS+ server that is marked as dead by additional requests for the duration of minutes.

Examples

To globally configure a 15-minute dead-time for TACACS+ servers that fail to respond to authentication requests, enter:

host1/Admin(config-tacacs+)# deadtime 15

To reset the TACACS+ server dead-time request to the default of 0, enter:

host1/Admin(config-tacacs+)# no deadtime 15

Related Commands

(config) aaa group server

(config-tacacs+) server

To specify the IP address of one or more previously configured TACACS+ servers that you want added to or removed from a AAA server group, use the server command. Use the no form of this command to remove the TACACS+ server from the AAA server group.

server ip_address

no server ip_address

Syntax Description

ip_address

IP address of the TACACS+ server. Enter the address in dotted-decimal IP notation (for example, 192.168.11.1).


Command Modes

TACACS+ configuration mode

Admin and user contexts

Command History

ACE Module Release
Modification

3.0(0)A1(2)

This command was introduced.


ACE Appliance Release
Modification

A1(7)

This command was introduced.


Usage Guidelines

You can add multiple TACACS+ servers to the AAA server group by entering multiple server commands in this mode. The same server can belong to multiple server groups.

Examples

To add servers to a TACACS+ server group, enter:

host1/Admin(config-tacacs+)# server 172.16.56.76
host1/Admin(config-tacacs+)# server 172.16.56.79
host1/Admin(config-tacacs+)# server 172.16.56.82

To remove a server from a TACACS+ server group, enter:

host1/Admin(config-tacacs+)# no server 172.16.56.76

Related Commands

(config) aaa group server