CTR 8500-8300 3.6.0 TACACS+ CLI Commands - July2018
CTR 8500-8300 3.6.0 TACACS+ CLI Commands - July2018
CTR 8500-8300 3.6.0 TACACS+ CLI Commands - July2018
TACACS+
CLI Commands
Version 3.6.0
260-668517-001
Build 41.5505
TACACS+
Warranty
Aviat Networks makes no representation or warranties with respect to the contents hereof
and specifically disclaims any implied warranties or merchantability or fitness for any
particular purpose.
Further, Aviat Networks reserves the right to revise this publication and to make changes
from time to time in the content hereof without obligation of Aviat Networks to notify any
person of such revision or changes.
Safety Recommendations
The following safety recommendations must be considered to avoid injuries to persons
and/or damage to the equipment:
1. Installation and Service Personnel: Installation and service must be carried out by
authorized personnel who have the technical training and experience necessary to be
aware of any hazardous operations during installation and service, and of measures to
avoid any danger to themselves, to any other personnel, and to the equipment.
2. Access to the Equipment: Access to the equipment in use must be restricted to service
personnel only.
3. Safety Norms: Recommended safety norms are detailed in the Health and Safety
sections of the Eclipse User Manual.
4. Service Personnel Skill: Service personnel must have received adequate technical
training on telecommunications and in particular on the equipment and capabilities this
addendum refers to.
Trademarks
All trademarks are the property of their respective owners.
IV AVIAT NETWORKS
TACACS+
Americas Technical Help Desk EMEA Technical Help Desk Asia Pacific Technical Help Desk
Aviat Networks, Inc. Aviat Networks Aviat Networks
San Antonio, TX Blantyre, Glasgow, Scotland Clark Freeport Zone
U.S.A. G72 0FB Philippines 2023
United Kingdom
Phone:+1 210 526 6345 Phone: +1 210 526 6345 Phone: +1 210 526 6345
Toll Free (USA): Fax: Fax: +63 45 599 5196
+1 800 227 8332 +44 16 9871 7204 (English)
Fax:+1 210 526 6315 +33 1 5552 8012 (French)
Email: TAC.AM@aviatnet.com Email: TAC.EMEA@aviatnet.com Email: TAC.APAC@aviatnet.com
Or you can contact your local Aviat Networks office. Contact information is available on our
website at: http://www.aviatnetworks.com/services/customer-support/technical-
assistance/
VI AVIAT NETWORKS
TACACS+ CHAPTER 2
TACACS+
TACACS+ (Terminal Access Controller Access-Control System) is a protocol for handling
remote authentication and related services for networked access control through a
centralized server. TACACS+ was developed by Cisco as an improvement on the original
TACACS protocol, which dates to 1984, and a later proprietary extension called Extended
TACACS (XTACACS). TACACS+ is not backwards compatible with either of these earlier
protocols, which it has largely replaced. TACACS+ was released as an open standard in
1993. TACACS+ handles authentication, authorization, and accounting (AAA) services.
The list of commands for TACACS+ is as follows:
l aaa accounting login tacacs on page 8
l no aaa accounting login tacacs on page 9
l no tacacs-server on page 10
l show aaa on page 11
l show tacacs-server on page 12
l tacacs-client timeout on page 13
l tacacs-server on page 14
Configuring TACACS+
Follow these steps to configure TACACS+:
l Enable TACACS+ using the login authentication command (see Node
Administration CLI Commands). The user also has an option to specify fallback
to local login procedures in the event that a TACACS+ server cannot be
contacted (see Configuration notes below).
l Add the TACACS+ server(s) with the tacacs-server command. Up to three
servers may be configured on a priority basis with server 1 being the highest
priority. The client will then attempt to contact server 1 first and if that fails it
will attempt server 2 and so on. If the client cannot contact any of the configured
servers and fallback to ‘local’ is not specified, the user login attempt will be
rejected. If fall back to local is configured, then local login procedures will be
attempted.
l Configure the server timeout.
l If accounting is required, configure this by using the aaa accounting login tacacs
command.
N O TE: Configur ation Notes : While c onfigur ing the TACACS+ s er ver , keep
the follow ing points in mind:
Syntax
aaa accounting login tacacs
Parameter Description
tacacs
Specifies TACACS+ Accounting is enabled.
Mode
Global Configuration Mode
Defaults
no aaa accounting login tacacs
Example
aos (config)# aaa accounting login tacacs
Related Command(s)
login authentication
Controls if TACACS+ is enabled or not (in Node Administration CLI Commands).
tacacs-server
Register new TACACS+ server
no tacacs-server
Deregister TACACS+ server.
tacacs-client timeout
Set server timeout
show tacacs-server
Displays tacacs-server configuration.
show aaa
Displays what method is being used for Authentication, Authorization and Accounting.
Syntax
no aaa accounting login tacacs
Parameter Description
tacacs
Specifies TACACS+ Accounting is disabled.
Mode
Global Configuration Mode
Defaults
TACACS+ accounting is disabled.
Example
aos (config)# no aaa accounting login tacacs
Related Commands
login authentication
Controls if TACACS+ is enabled or not (in Node Administration CLI Commands).
tacacs-server
Register new TACACS+ server.
no tacacs-server
Deregister TACACS+ server.
tacacs-client timeout
Set server timeout.
show tacacs-server
Displays tacacs-server configuration.
show aaa
Displays what method is being used for Authentication, Authorisation and Accounting.
no tacacs-server
Command Objective
This command is used to remove the server which was registered at the specified index,
allowing for a new server to be registered at that index. After removal, no connection
attempt will be made to this server.
Syntax
no tacacs-server <index(1-3)>
Parameter Description
index
A number between 1 and 3, indicating the server to be removed.
Mode
Global Configuration Mode
Defaults
index
Example
aos (config)# no tacacs-server 2
Related Commands
login authentication
Controls if TACACS+ is enabled or not (in Node Administration CLI Commands).
tacacs-server
Register new TACACS+ server.
tacacs-client timeout
Set server timeout.
show tacacs-server
Displays tacacs-server configuration.
show aaa
Displays what method is being used for Authentication, Authorisation and Accounting.
show aaa
Command Objective
This command displays what method is being used for authentication, authorization and
accounting.
Syntax
show aaa
Parameter Description
aaa
Specifies aaa to display the operational state of Authentication, Authorization and
Accounting.
Mode
Global Configuration Mode
Example
aos# show aaa
Authentication: TACACS+ only
Authorization: TACACS+ EXEC only
Accounting: TACACS+
Related Commands
login authentication
Controls if TACACS+ is enabled or not (in Node Administration CLI Commands).
tacacs-server
Register new TACACS+ server.
tacacs-client timeout
Set server timeout.
show tacacs-server
Displays tacacs-server configuration.
no tacacs-server
Deregister TACACS+ server.
show tacacs-server
Command Objective
This command lists the address and port of all TACACS+ servers that have been registered
with the TACACS+ client. If the user provides an index, only then the details of that server are
displayed.
Syntax
show tacacs-server [<index(1-3)>]
Parameter Description
index
A number between 1 and 3, where index 1 is the first server to be displayed and index
3 is the last.
Mode
Global Configuration Mode
Example
aos# show tacacs-server 1
Server: 1
Address : 12.0.0.100
TCP port : 49
Related Commands
login authentication
Controls if TACACS+ is enabled or not (in Node Administration CLI Commands).
tacacs-server
Register new TACACS+ server.
no tacacs-server
Deregister TACACS+ server.
tacacs-client timeout
Set server timeout.
show aaa
Displays what method is being used for Authentication, Authorisation and Accounting.
tacacs-client timeout
Command Objective
This command sets the maximum amount of time in seconds which will be spent waiting for
a TACACS+ server to respond before moving on and attempting a connection on the next
server.
Syntax
tacacs-client timeout {<seconds(1-10)>}
Parameter Description
seconds
A number between 1 and 10 which specifies the number of seconds spent waiting for
a response from a TACACS+ server before assuming failure.
Mode
Global Configuration Mode
Defaults
5
Example
as (config)# tacacs-client timeout 3
Related Commands
login authentication
Controls if TACACS+ is enabled or not (in Node Administration CLI Commands).
tacacs-server
Register new TACACS+ server.
no tacacs-server
Deregister TACACS+ server.
show tacacs-server
Displays tacacs-server configuration.
show aaa
Displays what method is being used for authentication, authorization and accounting.
tacacs-server
Command Objective
This command registers a new TACACS+ server, specifying its address, port, and shared
key. The user can also provide an index which is used to determine the order in which
connection attempts will be made to the server. The server registered with the lowest index
is the first server that the CTR will try connecting to when authenticating a user. If CTR is
unable to establish a connection with the first server, it will try with the next server which
has a higher index value. This will continue until all of the registered servers have been tried
and none have resulted in a successful connection.
Syntax
tacacs-server [<index(1-3)>] address {<ipv4-address> | <ipv6-
address>} [port <tcp-port(1-65535)>] {key <secret key>}
Parameter Description
index
A number between 1 and 3, where index 1 is the first server to try to connect to and
index 3 is the last. Two servers cannot share the same index.
ipv4-address
Configures the IPv4 address of the TACACS+ server host.
Ipv6-address
Configures the IPv6 address of the TACACS+ server host.
tcp-port
Configures a specific TCP (Transaction Control Protocol) port to be used by the
TACACS+ protocol . The valid range of values is 1-65535.
secret-key
Configures the Per-server encryption key which specifies the authentication and
encryption key for all TACACS+ communications between the authen- ticator and the
TACACS+ server. The maximum length of the secret key string is 64 ASCII
characters. The key cannot contain white space or double quote characters.
Mode
Defaults
index: 1
tcp-port: 49
Example
aos (config)# tacacs-server address 12.0.0.1 key secret123
aos (config)# tacacs-server 2 address 12.0.0.2 port 18001 key
secret456
Related Commands
login authentication
Controls if TACACS+ is enabled or not (in Node Administration CLI Commands).
no tacacs-server
Dderegister TACACS+ server.
tacacs-client timeout
Sset server timeout.
show tacacs-server
Displays tacacs-server configuration.
show aaa
Displays what method is being used for Authentication, Authorization and Accounting.