TACACS+ Configuration
- Tracy Yang (Unlicensed)
TACACS + uses TCP reliable transmission and data encryption transmission, it is a more secure AAA feature.
PicOS supports a maximum of eight TACACS+ servers. When multiple TACACS+ servers are configured, only one will be used, the IP addresses are used in alphabetical order.
For example, the following TACACS+ servers are configured.
set system aaa tacacs-plus server-ip 146.13.191.77 set system aaa tacacs-plus server-ip 146.13.191.78 set system aaa tacacs-plus server-ip 1.1.1.1 set system aaa tacacs-plus server-ip 2.2.2.2 set system aaa tacacs-plus server-ip 3.3.3.3
The servers will be used in below order.
|
Configuring TACACS+
Procedure
Step1 Enable TACACS+ function.
set system aaa tacacs-plus disable <true | false>
Step2 Configure TACACS+ shared key.
set system aaa tacacs-plus key <string>
The value of TACACS+ shared key should be the same with that on the TACACS+ servers. The shared key should have a same value on different TACACS+ servers.
Step3 Configure IP address of TACACS+ server.
set system aaa tacacs-plus server-ip <ipv4_address>
Step4 (Optional) Configure the port number of TACACS+ server.
set system aaa tacacs-plus port-number <integer>
By default, the port number of TACACS+ server is 49. The value of port number should be the same with that on the TACACS+ servers.
Step5 Configure the source interface.
set system aaa tacacs-plus source-interface <interface-name>
Step6 (Optional) Configure TACACS+ connection timeout.
set system aaa tacacs-plus timeout <integer>
By default, the value of TACACS+ connection timeout is 5 seconds.
Step7 (Optional) Configure TACACS+ authentication type.
set system aaa tacacs-plus auth-type <ascii | chap | pap>
By default, the TACACS+ authentication type is ascii.
Step8 (Optional) Enable TACACS+ authorization. By default, TACACS+ authorization is enabled.
set system aaa tacacs-plus authorization <true | false>
Step9 (Optional) Enable TACACS+ accounting. By default, TACACS+ accounting is enabled.
set system aaa tacacs-plus accounting <true | false>
Step10 Commit the configurations.
commit
TACACS+ Configuration Example
Networking Requirements
As shown in Figure 1, PC1, PC2, and PC3 connect to the internet through the PICA8 Switch. Configure TACACS+ function on PICA8 Switch to accomplish authentication, authorization, and accounting of PC1, PC2, and PC3 through TACACS + server1 and TACACS + server2. Suppose PICA8 Switch connects to the TACACS + servers through management interface eth0.
Figure 1. TACACS+ Networking Topology
Procedure
Step1 Enable TACACS+ function.
admin@XorPlus# set system aaa tacacs-plus disable false
Step2 Configure shared key of the TACACS+ servers.
admin@XorPlus# set system aaa tacacs-plus key pica8pica8
Step3 Configure TACACS+ server IP.
admin@XorPlus# set system aaa tacacs-plus server-ip 10.10.51.2 admin@XorPlus# set system aaa tacacs-plus server-ip 10.10.51.3
Step4 (Optional) Configure the port number of TACACS+ server.
admin@XorPlus# set system aaa tacacs-plus port-number 50
Step5 Configure the source interface.
admin@XorPlus# set system aaa tacacs-plus source-interface eth0
Step6 (Optional) Configure TACACS+ connection timeout.
admin@XorPlus# set system aaa tacacs-plus timeout 30
Step7 (Optional) Configure TACACS+ authentication type.
admin@XorPlus# set system aaa tacacs-plus auth-type chap
Step8 Commit the configurations.
admin@XorPlus# commit
Check the Configuration
- You can use the show system aaa tacacs-plus command to view the configuration information of TACACS+.
admin@XorPlus# show system aaa tacacs-plus disable: false server-ip 10.10.51.2 server-ip 10.10.51.3 key: "QT09cGljYThwaWNhOA==Y0ds" source-interface: "eth0"
Copyright © 2024 Pica8 Inc. All Rights Reserved.