Configures TACACS+ AAA service-related parameters for use in
authenticating StarOS administrative users via a TACACS+ server.
Important
|
Once a TACACS+ server is configured with the server command, TACACS+ AAA services for StarOS must be enabled using the aaa tacacs+ command in Global Configuration mode.
|
Privilege
Security Administrator, Administrator
Mode
Exec > Global Configuration > TACACS+ Configuration
configure > tacacs mode
Entering the above command sequence results in the following prompt:
[local]host_name(config-tacacs)#
Syntax
server priority priority_number ip-address ip_address [ { encrypted password shared_secret ] [ key text_password ] [ nas-source-address ip_address ] [ password text_password ] [ port port_number ] [ retries num_retries ] [ service { accounting |authentication | authorization } ] ] [ timeout seconds ]
no server priority priority_number
no
Removes a specified server (by priority number) from the TACACS+
server list.
priority
priority_number
Specifies the order in which TACACS+ servers are to be tried. The
priority number corresponds to a configured TACACS+ server.
For releases prior to 18.2,
priority_number can be an integer from 1
(highest priority) to 3 (lowest priority).
For releases
18.2+,
priority_number can be an integer from 1
(highest priority) to 4 (lowest priority).
If no server with priority 1 is specified, the next highest priority
is used. If the specified priority matches that of a TACACS+ server already
configured, any previously defined server configuration parameter(s) for that
priority are returned to the default setting(s).
ip-address
Specifies the IP address of the TACACS+ server in IPv4 or IPv6 dotted-decimal notation. Only one IP address can be defined for a given server priority
encrypted password
shared_secret
Specifies the encrypted value of the shared secret key. The
server-side configuration
must match the decrypted value for the protocol to work
correctly. If
encrypted password is specified, specifying
password is invalid. No encryption is used if
this value is null (""). The encrypted password can be an alphanumeric string
of 1 through 100 characters. If neither an
encrypted password or
password is specified, StarOS will
not use encryption
key
text_password
Release 11.0 systems only. Instead of using an encrypted
password value, the user can specify a plain-text key value for the password.
If the
key keyword is specified, then specifying
encrypted password is invalid. A null string
represents no encryption. The password can be from 1 to 32 alphanumeric
characters in length. If neither an
encrypted password or
key is specified, then StarOS will
not use encryption.
nas-source-address
ip_address
Release 12 and later systems only: Sets the IPv4 or IPv6 address to be specified in the Source Address of the IP header in the TACACS+ protocol packet sent from the NAS to the TACACS+
server. ip_address is entered using IPv4 dotted-decimal notation and must be valid for the interface.
password
text_password
Release 12.0 and later systems. Instead of using an encrypted
password value, the user can specify a plain-text value for the password. If
the
password keyword is specified, specifying
encrypted password is invalid. A null string
("") represents no encryption. The password can be an alphanumeric string of 1
through 32 characters. If neither an
encrypted password or
password is specified, then StarOS will
not use encryption.
port
port_number
Specifies the TCP port number to use for communication with the
TACACS+ server.
port_number can be an integer from 1 through
65535. If a port is not specified, StarOS will use port 49.
retries
number
Release 12 and later
systems only:
Specifies the number of retry attempts at establishing a
connection to the TACACS+ server if the initial attempt fails.
retries
number can be an integer from 0 through 100.
The default is 3. Specifying 0 (zero) retries results in StarOS trying only
once to establish a connection. No further retries will be attempted.
service { accounting | authentication | authorization
}
Release 12 and later systems only: Specifies one or more of the AAA services that the specified TACACS+ server will provide. Use of the service keyword requires that at lease one of the available services be specified. If the service keyword is not used, StarOS will use the TACACS+ server for all AAA service types. The default is to use authentication,
authorization and accounting. Available service types are:
-
accounting : The specified TACACS+ server should be used for accounting. If TACACS+ authentication is not used, TACACS+ accounting will not be used. If no accounting server is specified and the user is authenticated, no accounting
will be performed for the user.
-
authentication : The specified TACACS+ server should be used for authentication. If a TACACS+ authentication server is not available, TACACS+
will not be used for authorization or accounting.
-
authorization : The specified TACACS+ server should be used for authorization. If TACACS+ authentication is not used, TACACS+ authorization will not be used. If no authorization server is specified and the user is authenticated, the
user will remain logged in with minimum privileges (Inspector level).
timeout
seconds
Specifies the number of seconds to wait for a connection timeout from
the TACACS+ server.
seconds can be an integer from 1 through
1000. If no timeout is specified, StarOS0 will use the default value of 10
seconds.
Usage Guidelines
Use this command to specify TACACS+ service parameters for a specified
TACACS+ server.
Example
The following command configures a priority 2, TACACS+ authetication
server at IP address 192.156.1.1:
server priority 2 ip-address 192.156.1.1 authentication