TACACS+ Client Commands

tacplus

Syntax

[no] tacplus

Context

config>system>security

Description

This command enables the context to configure TACACS+ authentication on the 7705 SAR.

For redundancy, multiple server addresses can be configured for each 7705 SAR.

The no form of the command removes the TACACS+ configuration.

accounting

Syntax

accounting [record-type {start-stop | stop-only}]

no accounting

Context

config>system>security>tacplus

Description

This command enables TACACS+ accounting and configures the type of accounting record packet that is to be sent to the TACACS+ server. The record-type parameter indicates whether TACACS+ accounting start and stop packets will be sent or just stop packets will be sent.

Default

record-type stop-only

Parameters

record-type start-stop

specifies that a TACACS+ start packet is sent whenever the user executes a command and a stop packet is sent when the command is complete

record-type stop-only

specifies that a stop packet is sent when the command execution is complete

authorization

Syntax

[no] authorization

Context

config>system>security>tacplus

Description

This command configures TACACS+ authorization parameters for the system.

Default

no authorization

server

Syntax

server index address ip-address secret key [hash | hash2] [port port]

no server index

Context

config>system>security>tacplus

Description

This command adds a TACACS+ server and configures the TACACS+ server IP address, index, and key values.

Up to five TACACS+ servers can be configured at any one time. TACACS+ servers are accessed in order from the lowest index to the highest index for authentication requests.

The no form of the command removes the server from the configuration.

Default

no TACACS+ servers are configured

Parameters

index

the index for the TACACS+ server. The index determines the sequence in which the servers are queried for authentication requests. Servers are queried in order from the lowest index to the highest index.

Values

1 to 5

ip-address

the IP address of the TACACS+ server. Two TACACS+ servers cannot have the same IP address. An error message is generated if the server address is a duplicate.

Values

ipv4-address:       a.b.c.d (host bits must be 0)

ipv6-address:        x:x:x:x:x:x:x:x (eight 16-bit pieces)

                                 x:x:x:x:x:x:d.d.d.d

                                   x:   [0 to FFFF]H

                                   d:   [0 to 255]D

key

the secret key to access the RADIUS server. This secret key must match the password on the TACACS+ server.

Values

up to 128 characters in length

hash

specifies that the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in an unencrypted, clear text form. For security, all keys are stored in encrypted form in the configuration file with the hash parameter specified.

hash2

specifies that the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed.

port

the port ID

Values

0 to 65535

timeout

Syntax

timeout seconds

no timeout

Context

config>system>security>tacplus

Description

This command configures the number of seconds the router waits for a response from a TACACS+ server.

The no form of the command reverts to the default value.

Default

3

Parameters

seconds

the number of seconds the router waits for a response from a TACACS+ server, expressed as a decimal integer

Values

1 to 90

use-default-template

Syntax

[no] use-default-template

Context

config>system>security>tacplus

Description

This command specifies whether the user template defined by this entry is to be actively applied to the TACACS+ user.