Brocade Communications Systems Brocade ICX 6650 6650 User Manual
32
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
TACACS and TACACS+ security
The auth-port parameter specifies the UDP (for TACACS) or TCP (for TACACS+) port number of the
authentication port on the server. The default port number is 49.
authentication port on the server. The default port number is 49.
Specifying different servers for individual AAA functions
In a TACACS+ configuration, you can designate a server to handle a specific AAA task. For example,
you can designate one TACACS+ server to handle authorization and another TACACS+ server to
handle accounting. You can set the TACACS+ key for each server.
you can designate one TACACS+ server to handle authorization and another TACACS+ server to
handle accounting. You can set the TACACS+ key for each server.
To specify different TACACS+ servers for authentication, authorization, and accounting, enter the
command such as following.
command such as following.
Syntax: tacacs-server host ip-addr | ipv6-addr | server-name [auth-port num] [authentication-only
| authorization-only | accounting-only | default] [key 0 | 1 string]
The default parameter causes the server to be used for all AAA functions.
After authentication takes place, the server that performed the authentication is used for
authorization and accounting. If the authenticating server cannot perform the requested function,
then the next server in the configured list of servers is tried; this process repeats until a server that
can perform the requested function is found, or every server in the configured list has been tried.
authorization and accounting. If the authenticating server cannot perform the requested function,
then the next server in the configured list of servers is tried; this process repeats until a server that
can perform the requested function is found, or every server in the configured list has been tried.
Setting optional TACACS and TACACS+ parameters
You can set the following optional parameters in a TACACS and TACACS+ configuration:
•
TACACS+ key – This parameter specifies the value that the Brocade device sends to the
TACACS+ server when trying to authenticate user access.
TACACS+ server when trying to authenticate user access.
•
Retransmit interval – This parameter specifies how many times the Brocade device will resend
an authentication request when the TACACS/TACACS+ server does not respond. The retransmit
value can be from 1 – 5 times. The default is 3 times.
an authentication request when the TACACS/TACACS+ server does not respond. The retransmit
value can be from 1 – 5 times. The default is 3 times.
•
Dead time – This parameter specifies how long the Brocade device waits for the primary
authentication server to reply before deciding the server is dead and trying to authenticate
using the next server. The dead-time value can be from 1 – 5 seconds. The default is 3
seconds.
authentication server to reply before deciding the server is dead and trying to authenticate
using the next server. The dead-time value can be from 1 – 5 seconds. The default is 3
seconds.
•
Timeout – This parameter specifies how many seconds the Brocade device waits for a
response from a TACACS/TACACS+ server before either retrying the authentication request, or
determining that the TACACS/TACACS+ servers are unavailable and moving on to the next
authentication method in the authentication-method list. The timeout can be from 1 – 15
seconds. The default is 3 seconds.
response from a TACACS/TACACS+ server before either retrying the authentication request, or
determining that the TACACS/TACACS+ servers are unavailable and moving on to the next
authentication method in the authentication-method list. The timeout can be from 1 – 15
seconds. The default is 3 seconds.
Brocade(config)# tacacs-server host 10.2.3.4 auth-port 49 authentication-only
key abc
Brocade(config)# tacacs-server host 10.2.3.5 auth-port 49 authorization-only key
def
Brocade(config)# tacacs-server host 10.2.3.6 auth-port 49 accounting-only key
ghi
key abc
Brocade(config)# tacacs-server host 10.2.3.5 auth-port 49 authorization-only key
def
Brocade(config)# tacacs-server host 10.2.3.6 auth-port 49 accounting-only key
ghi