TACACS+

An organization can establish a Terminal Access Controller Access Control System (TACACS+) server to provide centralized security for all of its devices. In this way, authentication and authorization can be handled on a single server for all devices in the organization.

The switch can act as a TACACS+ client that uses the TACACS+ server for the following services:

  • Authentication—Provides authentication of administrators logging onto the switch by using usernames and user-defined passwords.

  • Authorization—Performed at login. After the authentication session is completed, an authorization session starts using the authenticated username. The TACACS+ server then checks user privileges.

The TACACS+ protocol ensures network integrity, through encrypted protocol exchanges between the device and the TACACS+ server

Some TACACS+ servers support a single connection that enables the device to receive all information in a single connection. If the TACACS+ server does not support this, the device reverts back to multiple connections.

Use the TACACS+ page to configure the TACACS+ servers and define the default parameters that are used for communicating with all TACACS+ servers. A user must be configured on the TACACS+ to have privilege level 15 to be granted permission to administer the switch.

To define default TACACS+ parameters and add a TACACS+ server:

Procedure

Step 1

Click Security > TACACS+.

Step 2

Enter the default TACACS+ parameters if required. Values entered in the Default Parameters are applied to all servers. If a value is not entered for a specific server (in the Add TACACS+ Server page) the device uses the values in these fields.

  • Timeout for Reply—Enter the amount of time in seconds that passes before the connection between the switch and the TACACS+ server times out. If a value is not entered for an individual server, the value is taken from this field.

  • Key String—Enter the default key string in encrypted or plaintext form used for communicating with all TACACS+ servers. If you do not enter the default key string here, the key entered on the Add page must match the encryption key used by the TACACS+ server. If you enter the default key string here and a key string for an individual TACACS+ server, the key string configured for the individual TACACS+ server takes precedence.

Step 3

Click Apply. The TACACS+ default settings for the device are updated in the Running Configuration file.

Step 4

Enter the values in the fields for each TACACS+ server. To use the default values entered in the RADIUS page, select Use Default.

  • Server Definition—Select whether to specify the TACACS+ server by IP address or name.

  • IP Version—Select the version of the IP address of the TACACS+ server.

  • Server IP Address/Name—Enter the TACACS+ server by IP address or name.

  • Priority—Enter the priority of the server. The priority determines the order the device attempts to contact the servers to authenticate a user. The device starts with the highest priority TACACS+ server first. Zero is the highest priority

  • Key String—Enter the default key string in encrypted or plaintext form used for communicating with all TACACS+ servers. If you do not enter the default key string here, the key entered on the Add page must match the encryption key used by the TACACS+ server. If you enter the default key string here and a key string for an individual TACACS+ server, the key string configured for the individual TACACS+ server takes precedence.

Step 5

Click Apply. The RADIUS server definition is added to the Running Configuration file of the device.

Step 6

To display sensitive data in plaintext form on the page, click Display Sensitive Data As Plaintext.