Extreme 3804 User Guide
Authenticating Users
Summit24e3 Switch Installation and User Guide
61
attempting to administer the switch. TACACS+ is used to communicate between the switch and an
authentication database.
authentication database.
NOTE
You cannot use RADIUS and TACACS+ at the same time.
You can configure two TACACS+ servers, specifying the primary server address, secondary server
address, and UDP port number to be used for TACACS+ sessions.
address, and UDP port number to be used for TACACS+ sessions.
Table 16 describes the commands that are used to configure TACACS+.
Table 16: TACACS+ Commands
Command
Description
config tacacs [primary | secondary] server
[<ipaddress> | <hostname>] {<udp_port>} client-ip
<ipaddress>
[<ipaddress> | <hostname>] {<udp_port>} client-ip
<ipaddress>
Configure the server information for a
TACACS+ server. Specify the following:
TACACS+ server. Specify the following:
•
primary | secondary
— Specifies
primary or secondary server
configuration. To remove a server, use
the address 0.0.0.0.
configuration. To remove a server, use
the address 0.0.0.0.
•
<ipaddress> | <hostname>
—
Specifies the TACACS+ server.
•
<udp_port>
— Optionally specifies
the UDP port to be used.
•
client-ip
— Specifies the IP
address used by the switch to identify
itself when communicating with the
TACACS+ server.
itself when communicating with the
TACACS+ server.
config tacacs [primary | secondary] shared-secret
{encrypted} <string>
{encrypted} <string>
Configures the shared secret string used
to communicate with the TACACS+ server.
to communicate with the TACACS+ server.
config tacacs-accounting [primary | secondary]
server [<ipaddress> | <hostname>] {<udp_port>}
client-ip <ipaddress>
server [<ipaddress> | <hostname>] {<udp_port>}
client-ip <ipaddress>
Configures the TACACS+ accounting
server. You can use the same server for
accounting and authentication.
server. You can use the same server for
accounting and authentication.
config tacacs-accounting [primary | secondary]
shared-secret {encrypted} <string>
shared-secret {encrypted} <string>
Configures the shared secret string used
to communicate with the TACACS+
accounting server.
to communicate with the TACACS+
accounting server.
disable tacacs
Disables TACACS+.
disable tacacs-accounting
Disables TACACS+ accounting.
disable tacacs-authorization
Disables CLI command authorization.
enable tacacs
Enables TACACS+. Once enabled, all CLI
logins are sent to one of the two
TACACS+ server for login name
authentication and accounting.
logins are sent to one of the two
TACACS+ server for login name
authentication and accounting.
enable tacacs-accounting
Enables TACACS+ accounting. If
accounting is use, the TACACS+ client
must also be enabled.
accounting is use, the TACACS+ client
must also be enabled.
enable tacacs-authorization
Enables CLI command authorization.
When enabled, each command is
transmitted to the remote TACACS+
server for authorization before the
command is executed.
When enabled, each command is
transmitted to the remote TACACS+
server for authorization before the
command is executed.