Configuring TACACS+

To configure or create  TACACS+ access on a switch, use the command:

CLI (network-admin@switch-1) > aaa-tacacs-create name name-string scope local|fabric server server-string  [port port-number] [secret secret-string] [timeout timeout-number] [priority priority-number] [authen|no-authen] [authen-local|no-authen-local] [authen-method pap|chap|ms-chap] [sess-acct|no-sess-acct] [cmd-acct|no-cmd-acct] [acct-local|no-acct-local] [sess-author|no-sess-author] [cmd-author|no-cmd-author]  [author-local|no-author-local] [author-local|no-author-local] [service service-string] [service-shell service-shell-string] [service-vtysh service-vtysh-string]

name name-string

Specify the name for TACACS+ config

scope local|fabric

Specify the scope of TACACS+

server server-string

Specify the TACACS+ server string

Specify one of more of the following options

[port port-number]

Specify the TACACS+ communication port

[secret secret-string]

Specify the shared secret for TACACS+

[timeout timeout-number]

Specify the number of seconds before communication times out

[priority priority-number]

Specify the priority for TACACs+


Specify whether to  use authentication or no authentication


Specify if the authentication overrides local users

[authen-method pap|chap|ms-chap] 

Specify the authentication methods:  PAP, CHAP (default), MS-CHAP


Specify the session accounting


Specify the command accounting


Specify the accounting for local users


Specify the authorization sessions


Specify the command authorization


Specify the authorization for local users

[service service-string]

Specify the service name used for TACACS+ requests sent from Netvisor ONE to the TACACS+ server for commands run at the Netvisor CLI and  REST APIs. The default value is shell

[service-shell service-shell-string] 

Specify the TACACS+ service name string for shell commands

[service-vtysh service-vtysh-string]

Specify the TACACS+ service name string for vtysh commands

For example, to create  TACACS+ account, tac having scope local with no local authentication privilege,  use the command:  

CLI (network-admin@switch) > aaa-tacacs-create name tac scope local server authen-local

To create a secret key, use the command:

CLI (network-admin@switch) > aaa-tacacs-modify secret name tac

shared secret:

confirm shared secret:

CLI (network-admin@switch) >

To modify the authentication access, use the command:

CLI (network-admin@switch) > aaa-tacacs-modify name tac no-authen-local

For a local account to authenticate, all the active aaa-tacacs instances must be configured with no-authen-local parameter.

Use the parameters author-local and acct-local  to indicate if  authorization and accounting messages for locally

authenticated accounts should be sent to the TACACS+ server. For example,

CLI (network-admin@switch) > aaa-tacacs-modify name tac [author-local|no-author-local]

CLI (network-admin@switch) > aaa-tacacs-modify name tac [acct-local|no-acct-local]

To specify the service in authorization and accounting messages for shell and vtysh commands, use:

CLI (network-admin@switch) > aaa-tacacs-modify name tac \

service-shell unix-shell

CLI (network-admin@switch) > aaa-tacacs-modify name tac \

service-vtysh vtysh-shell

If service-shell or service-vtysh is not specified, then the  value of the service option is used.

To delete a specified (for example, tac) TACACS+ configuration, use the aaa-tacacs-delete command:

CLI (network-admin@switch) > aaa-tacacs-delete name tac

To display the status of the TACACS server, use the aaa-tacacs-status command:

CLI (network-admin@switch) > aaa-tacacs-show name tac