beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 53

background image

Multi-Service IronWare Security Configuration Guide

35

53-1003035-02

Configuring TACACS or TACACS+ security

1

NOTE

If you erase a tacacs-server command (by entering “no” followed by the command), make sure you
also erase the aaa commands that specify TACACS or TACACS+ as an authentication method. (Refer
to

“Configuring authentication-method lists for TACACS or TACACS+”

.) Otherwise, when you exit from

the CONFIG mode or from a Telnet session, the system continues to believe it is TACACS or TACACS+
enabled and you will not be able to access the system.

The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of the
authentication port on the server. The default port number is 49.

Specifying different servers for individual AAA
TACACS functions

In a TACACS+ configuration, you can designate a server to handle a specific AAA task. For example,
you can designate one TACACS+ server to handle authorization and another TACACS+ server to
handle accounting. You can set the TACACS+ key for each server.

To specify different TACACS+ servers for authentication, authorization, and accounting, enter a
command such as the following.

Syntax: [no] tacacs-server host ip-addr | server-name [auth-port number [authentication-only |

authorization-only | accounting-only | default] [key string]]

The host ip-addr | server-name parameter is either an IP address or an ASCII text string.

The auth-port number parameter is the Authentication port number; it is an optional parameter.

Enter accounting-only if the server is used only for TACACS accounting. Enter authentication-only if
the server is used only for TACACS authentication. Enter authorization-only if the server is used only
for TACAC authorization. Entering the default parameter causes the server to be used for all AAA
TACACS functions.

After authentication takes place, the server that performed the authentication is used for
authorization, accounting or both. If the authenticating server cannot perform the requested
function, then the next server in the configured list of servers is tried; this process repeats until
either a server that can perform the requested function is found, or every server in the configured
list has been tried.

Enter key and configure a key for the server if an authentication key is to be used. By default, key is
encrypted. If you want key to be in clear text, insert a 0 between key and string.

Example

Brocade(config)# tacacs-server host 10.2.3.5 auth-port 49 authorization-only key

0 report

The software adds a prefix to the authentication key string in the configuration. For example, the
prefix “2” is added to the authorization key string in the following example.

tacacs-server host 10.2.3.6 auth-port 49 authorization-only key 2 $D?@d=8

The prefix can be one of the following:

Brocade(config)# tacacs-server host 1.2.3.4 auth-port 49 authentication-only key

abc

Brocade(config)# tacacs-server host 1.2.3.5 auth-port 49 authorization-only key

define

Brocade(config)# tacacs-server host 1.2.3.6 auth-port 49 accounting-only key ghi

See also other documents in the category Brocade Computer Accessories: