Configuring Tacacs; Configuring The Tacacs+ Server Host - Cisco Catalyst 2950 Software Manual

Configuring TACACS+

Configuring TACACS+
You can use the Terminal Access Controller Access Control System Plus (TACACS+) to manage
network security (authentication, authorization, and accounting [AAA]) from a server. This section
describes how TACACS+ works and how you can configure it. For complete syntax and usage
information for the commands described in this chapter, refer to the Cisco IOS Release 12.1 Security
Command Reference.
You can only configure this feature by using the CLI; you cannot configure it through the Cluster
Management Suite.
Note If TACACS+ is configured on the command switch, TACACS+ must also be configured on all member
switches to access the switch cluster from CMS. For more information about switch clusters, see
Chapter 5, "Clustering Switches."
In large enterprise networks, the task of administering passwords on each device can be simplified by
centralizing user authentication on a server. TACACS+ is an access-control protocol that allows a switch
to authenticate all login attempts through a central server. The network administrator configures the
switch with the address of the TACACS+ server, and the switch and the server exchange messages to
authenticate each user before allowing access to the management console.
TACACS+ consists of three services: authentication, authorization, and accounting. Authentication
determines who the user is and whether or not the user is allowed access to the switch. Authorization
determines what the user is allowed to do on the system. Accounting collects data related to resource
usage.
The TACACS+ feature is disabled by default. However, you can enable and configure it by using the CLI.
You can access the CLI through the console port or through Telnet. To prevent a lapse in security, you
cannot configure TACACS+ through a network-management application. When enabled, TACACS+ can
authenticate users accessing the switch through the CLI.
Note Although the TACACS+ configuration is performed through the CLI, the TACACS+ server authenticates
HTTP connections that have been configured with a privilege level of 15.

Configuring the TACACS+ Server Host

Use the tacacs-server host privileged EXEC command to specify the names of the IP host or hosts
maintaining an AAA/TACACS+ server. On TACACS+ servers, you can configure these additional
options:
•
•
•
Beginning in privileged EXEC mode, follow these steps to configure the TACACS+ server.
Catalyst 2950 Desktop Switch Software Configuration Guide
6-20
Number of seconds that the switch waits while trying to contact the server before timing out.
Encryption key to encrypt and decrypt all traffic between the router and the daemon.
Number of attempts that a user can make when entering a command that is being authenticated by
TACACS+.
Chapter 6 Configuring the System
78-11380-03