TACACS+ client commands

Parent topic: Configuration commands

tacplus

Syntax

[no] tacplus

Context

config>system>security

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

Commands in this context configure TACACS+ authentication on the router.

Configure multiple server addresses for each router for redundancy.

The no form of this command removes the TACACS+ configuration.

accounting

Syntax

accounting [record-type {start-stop | stop-only}]

no accounting

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the type of accounting record packet that is to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets be sent or just stop packets be sent.

Default

record-type stop-only

Parameters

record-type start-stop

Specifies that a TACACS+ start packet is sent whenever the user executes a command.

record-type stop-only

Specifies that a stop packet is sent whenever the command execution is complete.

authorization

Syntax

[no] authorization

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures TACACS+ authorization parameters for the system.

Default

no authorization

server

Syntax

server index address ip-address secret key [hash | hash2]

no server index

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command adds a TACACS+ server and configures the TACACS+ server IP address, index, and key values.

Up to five TACACS+ servers can be configured at any one time. TACACS+ servers are accessed in order from lowest index to the highest index for authentication requests.

The 7210 SAS-K 2F1C2T does not support IPv6 addresses for TACACS+ servers.

The no form of the command removes the server from the configuration.

Parameters

index

Specifies the index for the TACACS+ server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from the lowest index to the highest index.

Values

1 to 5

address ip-address

Specifies the IP address of the TACACS+ server. Two TACACS+ servers cannot have the same IP address. An error message is generated if the server address is a duplicate.

Values

ipv4-address — a.b.c.d (host bits must be 0)

ipv6-address — x:x:x:x:x:x:x:x (eight 16-bit pieces)

x:x:x:x:x:x:d.d.d.d

x — [0..FFFF]H

d — [0..255]D

secret key

Specifies the secret key, up to 128 characters, to access the RADIUS server. This secret key must match the password on the RADIUS server.

hash

Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.

shutdown

Syntax

[no] shutdown

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command administratively disables the TACACS+ protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command administratively enables the protocol.

Default

no shutdown

timeout

Syntax

timeout seconds

no timeout

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command configures the number of seconds the router waits for a response from a TACACS+ server.

The no form of the command reverts to the default value.

Default

timeout 3

Parameters

seconds

Specifies the number of seconds the router waits for a response from a TACACS+ server, expressed as a decimal integer.

Values

1 to 90

shutdown

Syntax

[no] shutdown

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command administratively disables the TACACS+ protocol operation. Shutting down the protocol does not remove or change the configuration other than the administrative state.

The operational state of the entity is disabled as well as the operational state of any entities contained within. Many objects must be shut down before they may be deleted.

The no form of this command administratively enables the protocol which is the default state.

Default

no shutdown

use-default-template

Syntax

[no] use-default-template

Context

config>system>security>tacplus

Platforms

Supported on all 7210 SAS platforms as described in this document

Description

This command specifies whether the user template defined by this entry is to be actively applied to the TACACS+ user.