beautypg.com

Tacacs, Table 10 – Brocade Network OS NETCONF Operations Guide v4.1.1 User Manual

Page 239

background image

Network OS NETCONF Operations Guide

207

53-1003231-02

TACACS+

16

TACACS+

TACACS+ is an AAA server protocol that uses a centralized authentication server and multiple
Network Access Servers or clients. With TACACS+ support, management of Brocade switches
seamlessly integrates into these environments. Once configured to use TACACS+, a Brocade switch
becomes a Network Access Server (NAS).

This section provides procedures and examples for client-side configuration for TACACS+ servers.
For additional conceptual details about TACACS+ servers, and about server-side configuration,
refer to the Network OS Administrator’s Guide.

Each Brocade switch client must be configured individually to use TACACS+ servers. You can use
the NETCONF interface to specify the server IP address, authentication protocols, and other
parameters. You can configure a maximum of five TACACS+ servers on a Brocade switch for AAA
service.

The parameters in

Table 10

are associated with a TACACS+ server that is configured on the switch.

NOTE

If you do not configure the key attribute, the authentication session will not be encrypted. The value
of key must match with the value configured in the TACACS+ configuration file; otherwise, the
communication between the server and the switch fails.

Adding a TACACS+ server to the client’s server list

You must configure the Domain Name System (DNS) server on the switch prior to adding the
TACACS+ server with a domain name or a host name. Without the DNS server, name resolution of
the TACACS+ server fails and therefore the add operation fails. To configure the DNS server, edit
the node in the urn:brocade.com:mgmt:brocade-ip-administration namespace.

NOTE

When a list of servers is configured, failover from one server to another server happens only if a
TACACS+ server fails to respond; it does not happen when user authentication fails.

To add a TACACS+ server to the client’s server list, perform the following steps.

TABLE 10

TACACS+ server parameters

Parameter

Description

hostname

IP address (IPv4 or IPv6) or domain/host name of the TACACS+ server. Host name
requires prior DNS configuration.

port

The TCP port used to connect the TACACS+ server for authentication. The port range
is 1 through 65535. The default port is 49.

protocol

The authentication protocol to be used. Options include CHAP and PAP. The default
protocol is CHAP.

key

The shared secret between the switch and the RADIUS server. The default value is
“sharedsecret.” The key cannot contain spaces and must be from 8 through 40
characters in length. Empty keys are not supported.

retries

The number of attempts permitted to connect to a RADIUS server. The range is 0
through 100. The default value is 5.

timeout

The maximum amount of time to wait for a server to respond. Options are from 1
through 60 seconds. The default value is 5 seconds.

See also other documents in the category Brocade Computer Accessories: