TACACS Commands

TACACS provides access control for networked devices via one or more centralized servers. Similar to RADIUS, this protocol simplifies authentication by making use of a single database that can be shared by many clients on a large network. TACACS is based on the TACACS protocol (described in RFC1492) but additionally provides for separate authentication, authorization, and accounting services. The original protocol was UDP based with messages passed in clear text over the network; TACACS uses TCP to ensure reliable delivery and a shared key configured on the client and daemon server to encrypt all messages.

tacacs-server host

Use the tacacs-server host command in Global Configuration mode to configure a TACACS server. This command enters into the TACACS configuration mode. The <ip-address|hostname> parameter is the IP address or hostname of the TACACS server. To specify multiple hosts, multiple tacacs-server host commands can be used.

• Format: tacacs-server host <ip-address|hostname>
• Mode: Global Config

no tacacs-server host

Use the tacacs-server host command to delete the specified hostname or IP address. The <ip-address|hostname> parameter is the IP address of the TACACS server.

• Format: no tacacs-server host <ip-address|hostname>
• Mode: Global Config

tacacs-server key

Use the tacacs-server key command to set the authentication and encryption key for all TACACS communications between the switch and the TACACS daemon. The <key-string> parameter has a range of 0 - 128 characters and specifies the authentication and encryption key for all TACACS communications between the switch and the TACACS server. This key must match the key used on the TACACS daemon.

Text-based configuration supports TACACS server's secrets in encrypted and non-encrypted format. When you save the configuration, these secret keys are stored in encrypted format only. If you want to enter the key in encrypted format, enter the key along with the encrypted keyword. In the show running config command's display, these secret keys are displayed in encrypted format. You cannot show these keys in plain text format.

• Format: tacacs-server key [<key-string> | encrypted <key-string>]
• Mode: Global Config

no tacacs-server key

Use the no tacacs-server key command to disable the authentication and encryption key for all TACACS communications between the switch and the TACACS daemon. The <key-string> parameter has a range of 0 - 128 characters This key must match the key used on the TACACS daemon

• Format: no tacacs-server key <key-string>
• Mode: Global Config

tacacs-server keystring

Use the tacacs-server key-string command to set the global authentication encryption key used for all TACACS communications between the TACACS server and the client.

• Format: tacacs-server keystring
• Mode: Global Config

tacacs-server timeout

Use the tacacs-server timeout command to set the timeout value for communication with the TACACS servers. The <timeout> parameter has a range of 1-30 and is the timeout value in seconds.

• Default: 5
• Format: tacacs-server timeout <timeout>
• Mode: Global Config

no tacacs-server timeout

Use the tacacs-server timeout command to restore the default timeout value for all TACACS servers.

• Format: no tacacs-server timeout
• Mode: Global Config

show tacacs

Use the show tacacs command to display the configuration and statistics of a TACACS server.

• Format: show tacacs [ip-address|hostname]
• Mode: Privileged EXEC

The display parameters for above command are:

• Host address: The IP address or hostname of the configured TACACS server.
• Port: The configured TACACS server port number.
• TimeOut: The timeout in seconds for establishing a TCP connection.
• Priority: The preference order in which TACACS servers are contacted. If a server connection fails, the next highest priority server is contacted.

show tacacs statistics

Use the show tacacs statistics to display information about the server statistics.

• Format: show tacacs statistics <ip-address|hostname>
• Mode: Privileged EXEC

The display parameters for above command are:

• Server Host Address: The IP address of the host.
• Requests Sent: The number of TACACS Authentication Request packets sent to this server.
• Malformed Requests Sent: The number of TACACS Malformed Authentication Request packets sent to this server.
• Requests Received: The number of TACACS Authentication Request received from this server.
• Malformed Requests Received: The number of TACACS Malformed Authentication Request packets received from this server.
• Reply's Received: The number of TACACS Authentication Reply packets received by this server.
• Malformed Reply's Received: The number of TACACS Malformed Authentication Reply packets received by this server.
• Timeouts: The number of authentication timeouts to this server.
• Tacacs Server Status: Status of the server whether DEAD/ALIVE.