TACACS+ Client

An organization can establish a Terminal Access Controller Access Control System (TACACS+) server to provide centralized security for all of its devices. In this way, authentication and authorization can be handled on a single server for all devices in the organization.

The device can act as a TACACS+ client that uses the TACACS+ server for the following services: The TACACS+ page enables configuring TACACS+ servers.

Authentication—Provides authentication of users logging onto the device by using usernames and user-defined passwords.
Authorization—Performed at login. After the authentication session is completed, an authorization session starts using the authenticated username. The TACACS+ server then checks user privileges.
Accounting—Enable accounting of login sessions using the TACACS+ server. This enables a system administrator to generate accounting reports from the TACACS+ server.

TACACS+ is supported only with IPv4.

To configure TACACS+ server parameters, follow these steps:

Procedure

Step 1

Click Security > TACACS+ Client.

Step 2

Enable TACACS+ Accounting if required.

Step 3

Enter the following default parameters:

Option

Description

Key String

Enter the default Key String used for communicating with all TACACS+ servers in Encrypted or Plaintext mode.

If you enter both a key string here and a key string for an individual TACACS+ server, the key string configured for the individual TACACS+ server takes precedence.

Timeout for Reply

Enter the amount of time that passes before the connection between the device and the TACACS+ server times out. If a value isn’t entered in the Add TACACS+ Server page for a specific server, the value is taken from this field.

Source IPv4 Interface

Select the device IPv4 source interface to be used in messages sent for communication with the TACACS+ server.

Source IPv6 Interface

Select the device IPv6 source interface to be used in messages sent for communication with the TACACS+ server.

Note	If the Auto option is selected, the system takes the source IP address from the IP address defined on the outgoing interface.

Step 4

Click Apply. The TACACS+ default settings are added to the Running Configuration file. These are used if the equivalent parameters are not defined in the Add page.

The information for each TACACS server is displayed in the TACACS+ Server Table. The fields in this table are entered in the Add page except for the Status field. This field describes whether the server is connected or not to the device.

Step 5

To add a TACACS+ server, click Add. To edit the TACACS+ Server, select the TACACS+ server and click Edit.

Step 6

Next, configure the parameters.

Option	Description
Server Definition	Select one of the following ways to identify the TACACS+ server: By IP address-If this is selected, enter the IP address of the server in the Server IP Address/Name field. By name-If this is selected enter the name of the server in the Server IP Address/Name field.
IP Version	Select the supported IP version of the source address: IPv6 or IPv4.
IPv6 Address Type	Select the IPv6 address type (if IPv6 is used). The options are: Link Local-The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, isn’t routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration. Global-The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.
Link Local Interface	Select the link local interface (if IPv6 Address Type Link Local is selected) from the list.
Server IP Address/Name	Enter the IP address or name of the TACACS+ server.
Priority	Enter the order in which this TACACS+ server is used. Zero is the highest priority TACACS+ server and is the first server used. If it can’t establish a session with the high priority server, the device tries the next highest priority server.
Key String	Enter the default key string used for authenticating and encrypting between the device and the TACACS+ server. This key must match the key configured on the TACACS+ server. A key string is used to encrypt communications by using MD5. You can select the default key on the device, or the key can be entered in Encrypted or Plaintext form. If you don’t have an encrypted key string (from another device), enter the key string in plaintext mode and click Apply. The encrypted key string is generated and displayed.
Timeout for Reply	Select User Defined and enter the amount of time that passes before the connection between the device and the TACACS+ server times out. Select Use Default to use the default value displayed on the page.
Authentication IP Port	Enter the port number through which the TACACS+ session occurs.
Single Connection	Select to enable receiving all information in a single connection. If the TACACS+ server doesn’t support this, the device reverts to multiple connections.

Step 7

Click Apply. The TACACS+ server is added to the Running Configuration file of the device.

Step 8

To display sensitive data in plaintext form on this page, click Display Sensitive Data As Plaintext.