IronPort Systems 4108GL User Manual

9-20

Using Passwords and TACACS+ To Protect Against Unauthorized Access
TACACS+ Authentication for Central Control of Switch Access Security

Usi

n

g P

a

ssword

s a

nd

T

A

CA

CS

+

Syntax:

tacacs-server host <ip-addr>

Adds a TACACS+ server and optionally

[key ]

assigns a server-specific encryption key.

[no] tacacs-server host <ip-addr> Removes a TACACS+ server

assignment (including its server-
specific encryption key, if any)

.

tacacs-server key <key-string>

Enters the optional global encryption key.

[no] tacacs-server key

Removes the optional global encryption
key. (Does not affect any server-specific
encryption key assignments.)

tacacs-server timeout <1 . . 255>

Changes the wait period for a TACACS
server response. (Default: 5 seconds.)

N o t e o n
E n c r y p t i o n
K e ys

Encryption keys configured in the switch must exactly match the encryption
keys configured in TACACS+ servers the switch will attempt to use for
authentication.

If you configure a global encryption key, the switch uses it only with servers

for which you have not also configured a server-specific key. Thus, a global
key is more useful where the TACACS+ servers you are using all have an
identical key, and server-specific keys are necessary where different

TACACS+ servers have different keys.

If TACACS+ server “X” does not have an encryption key assigned for the
switch, then configuring either a global encryption key or a server-specific key
in the switch for server “X” will block authentication support from server “X”.