beautypg.com

Setting optional tacacs and tacacs+ parameters, Setting the tacacs+ key – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 49

background image

The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of
the authentication port on the server. The default port number is 49.

Specifying different servers for individual AAA functions

In a TACACS+ configuration, you can designate a server to handle a specific AAA task. For example,
you can designate one TACACS+ server to handle authorization and another TACACS+ server to
handle accounting. You can set the TACACS+ key for each server.

To specify different TACACS+ servers for authentication, authorization, and accounting, enter the
command such as following.

device(config)#tacacs-server host 10.2.3.4 auth-port 49 authentication-only key abc

device(config)#tacacs-server host 10.2.3.5 auth-port 49 authorization-only key def

device(config)#tacacs-server host 10.2.3.6 auth-port 49 accounting-only key ghi

Syntax: tacacs-server host { ip-addr | ipv6-addr | server-name } [ auth-port num ] [ authentication-
only | authorization-only | accounting-only | default ] [ key [ 0 | 1 ] string ]

The default parameter causes the server to be used for all AAA functions.

After authentication takes place, the server that performed the authentication is used for authorization
and accounting. If the authenticating server cannot perform the requested function, then the next server
in the configured list of servers is tried; this process repeats until a server that can perform the
requested function is found, or every server in the configured list has been tried.

Setting optional TACACS and TACACS+ parameters

You can set the following optional parameters in a TACACS and TACACS+ configuration:

• TACACS+ key - This parameter specifies the value that the Brocade device sends to the TACACS+

server when trying to authenticate user access.

• Retransmit interval - This parameter specifies how many times the Brocade device will resend an

authentication request when the TACACS/TACACS+ server does not respond. The retransmit value
can be from 1 - 5 times. The default is 3 times.

• Dead time - This parameter specifies how long the Brocade device waits for the primary

authentication server to reply before deciding the server is dead and trying to authenticate using the
next server. The dead-time value can be from 1 - 5 seconds. The default is 3 seconds.

• Timeout - This parameter specifies how many seconds the Brocade device waits for a response from

a TACACS/TACACS+ server before either retrying the authentication request, or determining that the
TACACS/TACACS+ servers are unavailable and moving on to the next authentication method in the
authentication-method list. The timeout can be from 1 - 15 seconds. The default is 3 seconds.

Setting the TACACS+ key

The key parameter in the tacacs-server command is used to encrypt TACACS+ packets before they
are sent over the network. The value for the key parameter on the Brocade device should match the
one configured on the TACACS+ server. The key can be from 1 - 32 characters in length and cannot
include any space characters.

NOTE
The tacacs-server key command applies only to TACACS+ servers, not to TACACS servers. If you are
configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the
Brocade device.

Specifying different servers for individual AAA functions

FastIron Ethernet Switch Security Configuration Guide

49

53-1003088-03

See also other documents in the category Brocade Computer Accessories: