TACACS+ Configuration Mode Commands
TACACS+ configuration mode commands allow you to configure multiple Terminal Access Controller Access Control System Plus (TACACS+) servers as a named AAA server group. You can specify the IP address of one or more previously configured TACACS+ servers that you want added to or removed from a AAA server group, with a dead-time interval for the TACACS+ server group.
For details about creating a TACACS+ server group, see the Security Guide, Cisco ACE Application Control Engine.
To create a TACACS+ server group and access TACACS+ server configuration mode, enter the aaa group server tacacs+ command in configuration mode. The CLI prompt changes to (config-tacacs+). Use the no form of this command to remove a TACACS+ server group.
aaa group server tacacs+ group_name
no aaa group server tacacs+ group_name
Syntax Description
group_name |
Name assigned to the group of TACACS+ servers. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters. |
Command Modes
Configuration mode
Admin and user contexts
Command History
|
|
3.0(0)A1(2) |
This command was introduced. |
|
|
A1(7) |
This command was introduced. |
Usage Guidelines
The commands in this mode require the AAA feature in your user role. For details about role-based access control (RBAC) and user roles, see the Virtualization Guide, Cisco ACE Application Control Engine.
A server group is a list of server hosts. The ACE allows you to configure multiple AAA servers as a named server group. You group the different AAA server hosts into distinct lists. The ACE searches for the server hosts in the order in which you specify them within a group. You can configure a maximum of 10 server groups for each context in the ACE.
You can configure server groups at any time, but you must enter the aaa authentication login or the aaa accounting default commands to apply the groups to the AAA service.
Examples
To create a TACACS+ server group, enter:
host1/Admin(config) aaa group server tacacs+ TACACS+_Server_Group1
host1/Admin(config-tacacs+)# server 172.16.56.76
host1/Admin(config-tacacs+)# server 172.16.56.79
host1/Admin(config-tacacs+)# server 172.16.56.82
Related Commands
(config) aaa accounting default
(config) aaa authentication login
(config-tacacs+) deadtime
To specify a dead-time interval for the TACACS+ server group, use the deadtime command. Use the no form of this command to reset the TACACS+ server group dead-time request to the default of 0.
deadtime minutes
no deadtime minutes
Syntax Description
minutes |
Length of time that the ACE skips a nonresponsive TACACS+ server for transaction requests. Valid entries are from 0 to 1440 (24 hours). The default is 0. |
Command Modes
TACACS+ configuration mode
Admin and user contexts
Command History
|
|
3.0(0)A1(2) |
This command was introduced. |
|
|
A1(7) |
This command was introduced. |
Usage Guidelines
During the dead-time interval, the ACE sends probe access-request packets to verify that the TACACS+ server is available and can receive authentication requests. The dead-time interval starts when the server does not respond to an authentication request transmission. When the server responds to a probe access-request packet, the ACE retransmits the authentication request to the server.
Use of the deadtime command causes the ACE to mark as dead any TACACS+ servers that fail to respond to authentication requests. Using this command prevents the wait for the request to time out before trying the next configured server. The ACE skips a TACACS+ server that is marked as dead by additional requests for the duration of minutes.
Examples
To globally configure a 15-minute dead-time for TACACS+ servers that fail to respond to authentication requests, enter:
host1/Admin(config-tacacs+)# deadtime 15
To reset the TACACS+ server dead-time request to the default of 0, enter:
host1/Admin(config-tacacs+)# no deadtime 15
Related Commands
(config) aaa group server
(config-tacacs+) server
To specify the IP address of one or more previously configured TACACS+ servers that you want added to or removed from a AAA server group, use the server command. Use the no form of this command to remove the TACACS+ server from the AAA server group.
server ip_address
no server ip_address
Syntax Description
ip_address |
IP address of the TACACS+ server. Enter the address in dotted-decimal IP notation (for example, 192.168.11.1). |
Command Modes
TACACS+ configuration mode
Admin and user contexts
Command History
|
|
3.0(0)A1(2) |
This command was introduced. |
|
|
A1(7) |
This command was introduced. |
Usage Guidelines
You can add multiple TACACS+ servers to the AAA server group by entering multiple server commands in this mode. The same server can belong to multiple server groups.
Examples
To add servers to a TACACS+ server group, enter:
host1/Admin(config-tacacs+)# server 172.16.56.76
host1/Admin(config-tacacs+)# server 172.16.56.79
host1/Admin(config-tacacs+)# server 172.16.56.82
To remove a server from a TACACS+ server group, enter:
host1/Admin(config-tacacs+)# no server 172.16.56.76
Related Commands
(config) aaa group server