Securing Access to Management Functions
December 2000
3 - 23
NOTE:
To specify the server’s host name instead of its IP address, you must first identify a DNS server using the
ip dns server-address
<ip-addr> command at the global CONFIG level.
If you add multiple TACACS/ authentication servers to the Foundry device, the device tries to reach
them in the order you add them. For example, if you add three servers in the following order, the software tries the
servers in the same order:
1.
207.94.6.161
2.
207.94.6.191
3.
207.94.6.122
You can remove a TACACS/ server by entering
no
followed by the
tacacs-server
command. For
example, to remove 207.94.6.161, enter the following command:
BigIron(config)# no tacacs-server host 207.94.6.161
NOTE:
If you erase a
tacacs-server
command (by entering “
no
” followed by the command), make sure you also
erase the
aaa
commands that specify TACACS/ as an authentication method. (See “Configuring
Authentication-Method Lists for TACACS/” on page 3-24.) Otherwise, when you exit from the CONFIG
mode or from a Telnet session, the system continues to believe it is TACACS/ enabled and you will not
be able to access the system.
The
auth-port
parameter specifies the UDP (for TACACS) or TCP (for ) port number of the
authentication port on the server. The default port number is 49.
Setting Optional TACACS/ Parameters
You can set the following optional parameters in a TACACS/ configuration:
•
key – This parameter specifies the value that the Foundry device sends to the server
when trying to authenticate user access.
•
Retransmit interval – This parameter specifies how many times the Foundry device will resend an
authentication request when the TACACS/ server does not respond. The retransmit value can be
from 1 – 5 times. The default is 3 times.
•
Dead time – This parameter specifies how long the Foundry device waits for the primary authentication server
to reply before deciding the server is dead and trying to authenticate using the next server. The dead-time
value can be from 1 – 5 seconds. The default is 3 seconds.
•
Timeout – This parameter specifies how many seconds the Foundry device waits for a response from a
TACACS/ server before either retrying the authentication request, or determining that the TACACS/
servers are unavailable and moving on to the next authentication method in the authentication-
method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds.
Setting the Key
The
key
parameter in the
tacacs-server
command is used to encrypt packets before they are sent over
the network. The value for the
key
parameter on the Foundry device should match the one configured on the
server. The key can be from 1 – 32 characters in length.
NOTE:
The
tacacs-server key
command applies only to servers, not to TACACS servers. If you are
configuring TACACS, do not configure a key on the TACACS server and do not enter a key on the Foundry device.
To specify a server key:
BigIron(config)# tacacs-server key rkwong
Syntax:
tacacs-server key <key-string>
Summary of Contents for Switch and Router
Page 2: ...December 2000 Copyright 2000 by Foundry Networks Inc ...
Page 26: ...Foundry Switch and Router Installation and Configuration Guide xxvi December 2000 ...
Page 64: ...Foundry Switch and Router Installation and Configuration Guide 2 34 December 2000 ...
Page 162: ...Foundry Switch and Router Installation and Configuration Guide 5 38 December 2000 ...
Page 196: ...Foundry Switch and Router Installation and Configuration Guide 6 34 December 2000 ...
Page 208: ...Foundry Switch and Router Installation and Configuration Guide 7 12 December 2000 ...
Page 236: ...Foundry Switch and Router Installation and Configuration Guide 8 28 December 2000 ...
Page 258: ...Foundry Switch and Router Installation and Configuration Guide 9 22 December 2000 ...
Page 420: ...Foundry Switch and Router Installation and Configuration Guide 13 32 December 2000 ...
Page 442: ...Foundry Switch and Router Installation and Configuration Guide 14 22 December 2000 ...
Page 554: ...Foundry Switch and Router Installation and Configuration Guide 15 112 December 2000 ...
Page 574: ...Foundry Switch and Router Installation and Configuration Guide 16 20 December 2000 ...
Page 626: ...Foundry Switch and Router Installation and Configuration Guide 17 52 December 2000 ...
Page 682: ...Foundry Switch and Router Installation and Configuration Guide 18 56 December 2000 ...
Page 826: ...Foundry Switch and Router Installation and Configuration Guide 20 20 December 2000 ...
Page 994: ...Foundry Switch and Router Installation and Configuration Guide 26 10 December 2000 ...
Page 1004: ...Foundry Switch and Router Installation and Configuration Guide B 6 December 2000 ...
Page 1044: ...Foundry Switch and Router Installation and Configuration Guide C 40 December 2000 ...
Page 1048: ...Foundry Switch and Router Installation and Configuration Guide D 4 December 2000 ...
Page 1070: ...Foundry Switch and Router Installation and Configuration Guide Index 18 December 2000 ...