Configuring TACACS+
To configure or create TACACS+ access on a switch, use the command:
CLI (network-admin@switch-1) > aaa-tacacs-create name name-string scope local|fabric server server-string [port port-number] [secret secret-string] [timeout timeout-number] [priority priority-number] [authen|no-authen] [authen-local|no-authen-local] [authen-method pap|chap|ms-chap] [sess-acct|no-sess-acct] [cmd-acct|no-cmd-acct] [acct-local|no-acct-local] [sess-author|no-sess-author] [cmd-author|no-cmd-author] [author-local|no-author-local] [author-local|no-author-local] [service service-string] [service-shell service-shell-string] [service-vtysh service-vtysh-string]
|
name name-string |
Specify the name for TACACS+ config |
|
scope local|fabric |
Specify the scope of TACACS+ |
|
server server-string |
Specify the TACACS+ server string |
|
Specify one of more of the following options |
|
|
[port port-number] |
Specify the TACACS+ communication port |
|
[secret secret-string] |
Specify the shared secret for TACACS+ |
|
[timeout timeout-number] |
Specify the number of seconds before communication times out |
|
[priority priority-number] |
Specify the priority for TACACs+ |
|
[authen|no-authen] |
Specify whether to use authentication or no authentication |
|
[authen-local|no-authen-local] |
Specify if the authentication overrides local users |
|
[authen-method pap|chap|ms-chap] |
Specify the authentication methods: PAP, CHAP (default), MS-CHAP |
|
[sess-acct|no-sess-acct] |
Specify the session accounting |
|
[cmd-acct|no-cmd-acct] |
Specify the command accounting |
|
[acct-local|no-acct-local] |
Specify the accounting for local users |
|
[sess-author|no-sess-author] |
Specify the authorization sessions |
|
[cmd-author|no-cmd-author] |
Specify the command authorization |
|
[author-local|no-author-local] |
Specify the authorization for local users |
|
[service service-string] |
Specify the service name used for TACACS+ requests sent from Netvisor ONE to the TACACS+ server for commands run at the Netvisor CLI and REST APIs. The default value is shell. |
|
[service-shell service-shell-string] |
Specify the TACACS+ service name string for shell commands |
|
[service-vtysh service-vtysh-string] |
Specify the TACACS+ service name string for vtysh commands |
For example, to create TACACS+ account, tac having scope local with no local authentication privilege, use the command:
CLI (network-admin@switch) > aaa-tacacs-create name tac scope local server pluribusnetworks.com authen-local
To create a secret key, use the command:
CLI (network-admin@switch) > aaa-tacacs-modify secret name tac
shared secret:
confirm shared secret:
CLI (network-admin@switch) >
To modify the authentication access, use the command:
CLI (network-admin@switch) > aaa-tacacs-modify name tac no-authen-local
For a local account to authenticate, all the active aaa-tacacs instances must be configured with no-authen-local parameter.
Use the parameters author-local and acct-local to indicate if authorization and accounting messages for locally
authenticated accounts should be sent to the TACACS+ server. For example,
CLI (network-admin@switch) > aaa-tacacs-modify name tac [author-local|no-author-local]
CLI (network-admin@switch) > aaa-tacacs-modify name tac [acct-local|no-acct-local]
To specify the service in authorization and accounting messages for shell and vtysh commands, use:
CLI (network-admin@switch) > aaa-tacacs-modify name tac \
service-shell unix-shell
CLI (network-admin@switch) > aaa-tacacs-modify name tac \
service-vtysh vtysh-shell
If service-shell or service-vtysh is not specified, then the value of the service option is used.
To delete a specified (for example, tac) TACACS+ configuration, use the aaa-tacacs-delete command:
CLI (network-admin@switch) > aaa-tacacs-delete name tac
To display the status of the TACACS server, use the aaa-tacacs-status command:
CLI (network-admin@switch) > aaa-tacacs-show name tac