3-18
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 3 Configuring the Switch for the First Time
Controlling Access to Privileged EXEC Commands
• Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services,
page 3-21
• Starting TACACS+ Accounting, page 3-21
Default TACACS+ Configuration
TACACS+ and AAA are disabled by default.
To prevent a lapse in security, you cannot configure TACACS+ through a network management
application. When enabled, TACACS+ can authenticate users accessing the switch through the CLI.
Note Although TACACS+ configuration is performed through the CLI, the TACACS+ server authenticates
HTTP connections that have been configured with a privilege level of 15.
Identifying the TACACS+ Server Host and Setting the Authentication Key
You can configure the switch to use a single server or AAA server groups in order to group existing
server hosts for authentication. You can group servers to select a subset of the configured server hosts
and use them for a particular service. The server group is used with a global server-host list and contains
the list of IP addresses of the selected server hosts.
To identify the IP host or host maintaining TACACS+ server and optionally set the encryption key,
perform this task, beginning in privileged EXEC mode:
Command Purpose
Step 1
configure terminal
Enters global configuration mode.
Step 2
tacacs-server host hostname [port
integer
] [timeout integer] [key
string
]
Identifies the IP host or hosts maintaining a TACACS+ server. Enter this
command multiple times to create a list of preferred hosts. The software
searches for hosts in the order in which you specify them.
• For hostname, specify the name or IP address of the host.
• (Optional) For port integer, specify a server port number. The default
is port 49. The range is 1 to 65535.
• (Optional) For timeout integer, specify a time in seconds the switch
waits for a response from the daemon before it times out and declares
an error. The default is 5 seconds. The range is 1 to 1000 seconds.
• (Optional) For key string, specify the encryption key for encrypting
and decrypting all traffic between the switch and the TACACS+
daemon. You must configure the same key on the TACACS+ daemon
for encryption to succeed.
Step 3
aaa new-model
Enables AAA.
Step 4
aaa group server tacacs+ group-name
(Optional) Defines the AAA server-group with a group name.
This command puts the switch in a server group subconfiguration mode.
Step 5
server ip-address
(Optional) Associates a particular TACACS+ server with the defined
server group. Repeat this step for each TACACS+ server in the AAA
server group.
Each server in the group must be previously defined in Step 2.
Step 6
end
Returns to privileged EXEC mode.
