Configuring TACACS+


To configure or create  TACACS+ access on a switch, use the command:


CLI (network-admin@switch-1) > aaa-tacacs-create name name-string scope local|fabric server server-string  [port port-number] [secret secret-string] [timeout timeout-number] [priority priority-number] [authen|no-authen] [authen-local|no-authen-local] [authen-method pap|chap|ms-chap] [sess-acct|no-sess-acct] [cmd-acct|no-cmd-acct] [acct-local|no-acct-local] [sess-author|no-sess-author] [cmd-author|no-cmd-author]  [author-local|no-author-local] [author-local|no-author-local] [service service-string] [service-shell service-shell-string] [service-vtysh service-vtysh-string]


name name-string

Specify the name for TACACS+ config

scope local|fabric

Specify the scope of TACACS+

server server-string

Specify the TACACS+ server string

Specify one of more of the following options

[port port-number]

Specify the TACACS+ communication port

[secret secret-string]

Specify the shared secret for TACACS+

[timeout timeout-number]

Specify the number of seconds before communication times out

[priority priority-number]

Specify the priority for TACACs+

[authen|no-authen]

Specify whether to  use authentication or no authentication

[authen-local|no-authen-local]

Specify if the authentication overrides local users

[authen-method pap|chap|ms-chap]

Specify the authentication methods:  PAP, CHAP (default), MS-CHAP

[sess-acct|no-sess-acct]

Specify the session accounting

[cmd-acct|no-cmd-acct]

Specify the command accounting

[acct-local|no-acct-local]

Specify the accounting for local users

[sess-author|no-sess-author]

Specify the authorization sessions

[cmd-author|no-cmd-author]  

Specify the command authorization

[author-local|no-author-local]

Specify the authorization for local users

[service service-string]

Specify the service name used for TACACS+ requests sent from Netvisor ONE to the TACACS+ server for commands run at the Netvisor CLI and  REST APIs. The default value is shell.

[service-shell service-shell-string]

Specify the TACACS+ service name string for shell commands

[service-vtysh service-vtysh-string]

Specify the TACACS+ service name string for vtysh commands


For example, to create  TACACS+ account, tac having scope local with no local authentication privilege,  use the command:  


CLI (network-admin@switch) > aaa-tacacs-create name tac scope local authen-local


To modify the authentication access, use the command:


CLI (network-admin@switch) > aaa-tacacs-modify name tac no-authen-local


For a local account to authenticate, all the active aaa-tacacs instances must be configured with no-authen-local parameter.


Use the parameters author-local and acct-local  to indicate if  authorization and accounting messages for locally

authenticated accounts should be sent to the TACACS+ server. For example,


CLI (network-admin@switch) > aaa-tacacs-modify name tac [author-local|no-author-local]


CLI (network-admin@switch) > aaa-tacacs-modify name tac [acct-local|no-acct-local]


To specify the service in authorization and accounting messages for shell and vtysh commands, use:


CLI (network-admin@switch) > aaa-tacacs-modify name tac \

service-shell unix-shell


CLI (network-admin@switch) > aaa-tacacs-modify name tac \

service-vtysh vtysh-shell


If service-shell or service-vtysh is not specified, then the  value of the service option is used.


To delete a specified (for example, tac) TACACS+ configuration, use the aaa-tacacs-delete command:


CLI (network-admin@switch) > aaa-tacacs-delete name tac


To display the status of the TACACS server, use the aaa-tacacs-status command:


CLI (network-admin@switch) > aaa-tacacs-show name tac