|
|
This chapter describes the function and displays the syntax for TACACS, extended TACACS, and TACACS+ commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.
To enable TACACS for ARAP authentication, use the arap use-tacacs line configuration command. Use the no form of this command to disable TACACS for ARAP authentication.
arap use-tacacs [single-line]
single-line | (Optional) Accepts the username and password in the username field. If you are using an older version of TACACS (before extended TACACS), you must use this keyword. |
To specify what happens if the TACACS and extended TACACS servers used by the enable command do not respond, use the enable last-resort global configuration command. Use the no form of this command to restore the default.
enable last-resort {password | succeed}
password | Allows you to enter enable mode by entering the privileged command level password. A password must contain from 1 to 25 uppercase and lowercase alphanumeric characters. |
succeed | Allows you to enter enable mode without further question. |
To enable the use of TACACS to determine whether a user can access the privileged command level, use the enable use-tacacs global configuration command. Use the no form of this command to disable TACACS verification.
enable use-tacacsTo use the IP address of a specified interface for all outgoing TACACS packets, use the ip tacacs source-interface global configuration command. Use the no form of this command to disable use of the specified interface IP address.
ip tacacs source-interface subinterface-name
subinterface-name | Name of the interface that TACACS uses for all of its outgoing packets. |
To control the number of login attempts that can be made on a line set up for TACACS verification, use the tacacs-server attempts global configuration command. Use the no form of this command to restore the default.
tacacs-server attempts count
count | Integer that sets the number of attempts. The default is 3 attempts. |
To configure the Cisco IOS software to indicate whether users can perform an attempted action under TACACS and extended TACACS, use the tacacs-server authenticate global configuration command. Use the no form of this command to remove authentication.
tacacs-server authenticate {connection [always] enable | slip [always] [access-lists]}
connection | Configures a required response when a user makes a TCP connection. |
always | (Optional) Performs authentication even when a user is not logged in. |
enable | Configures a required response when a user enters the enable command. |
slip | Configures a required response when a user starts a SLIP or PPP session. |
access-lists | (Optional) Requests and installs access lists. This option only applies to the slip keyword. |
To send only a username to a specified server when a direct request is issued, use the tacacs-server directed-request global configuration command. Use the no form of this command to send the entire string to the TACACS server.
tacacs-server directed-requestTo enable an extended TACACS mode, use the tacacs-server extended global configuration command. Use the no form of this command to disable the mode.
tacacs-server extendedTo specify a TACACS host, use the tacacs-server host global configuration command. Use the no form of this command to delete the specified name or address.
tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]
hostname | Name or IP address of the host. |
single-connection | (Optional) Specify that the router maintain a single open connection for confirmation from a AAA/TACACS+ server (CiscoSecure Release 1.0.1 or later). This command contains no autodetect and fails if the specified host is not running a CiscoSecure daemon. |
port | (Optional) Specify a server port number. This option overrides the default, which is port 49. |
integer | (Optional) Port number of the server. Valid port numbers range from 1 to 65535. |
timeout | (Optional) Specify a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only. |
integer | (Optional) Integer value, in seconds, of the timeout interval. |
key | (Optional) Specify an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only. |
string | (Optional) Character string specifying authentication and encryption key. |
To set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon, use the tacacs-server key global configuration command. Use the no form of this command to disable the key.
tacacs-server key key
key | Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon. |
To cause the network access server to request the privileged password as verification, or to allow successful login without further input from the user, use the tacacs-server last-resort global configuration command. Use the no form of this command to deny requests when the server does not respond.
tacacs-server last-resort {password | succeed}
password | Allows the user to access the EXEC command mode by entering the password set by the enable command. |
succeed | Allows the user to access the EXEC command mode without further question. |
The timeout login response command replaces this command.
To cause a message to be transmitted to the TACACS server, with retransmission being performed by a background process for up to five minutes, use the tacacs-server notify global configuration command. Use the no form of this command to disable notification.
tacacs-server notify {connection [always] | enable | logout [always] | slip [always]}
connection | Specifies that a message be transmitted when a user makes a TCP connection. |
always | (Optional) Sends a message even when a user is not logged in. This option applies only to SLIP or PPP sessions and can be used with the logout or slip keywords. |
enable | Specifies that a message be transmitted when a user enters the enable command. |
logout | Specifies that a message be transmitted when a user logs out. |
slip | Specifies that a message be transmitted when a user starts a SLIP or PPP session. |
To specify that the first TACACS request to a TACACS server be made without password verification, use the tacacs-server optional-passwords global configuration command. Use the no form of this command to restore the default.
tacacs-server optional-passwordsTo specify the number of times the Cisco IOS software searches the list of TACACS server hosts before giving up, use the tacacs-server retransmit global configuration command. Use the no form of this command to disable retransmission.
tacacs-server retransmit retries
retries | Integer that specifies the retransmit count. |
To set the interval that the server waits for a server host to reply, use the tacacs-server timeout global configuration command. Use the no form of this command to restore the default.
tacacs-server timeout seconds
seconds | Integer that specifies the timeout interval in seconds (between 1 and 300). The default is 5 seconds. |
Posted: Mon Feb 8 14:19:04 PST 1999
Copyright 1989-1999©Cisco Systems Inc.