Table of Contents
TACACS+ Commands
This chapter explains the function and syntax of the TACACS+ commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS Security Command Reference, Release 12.1.
To group different server hosts into distinct lists and distinct methods, use the aaa group server command in global configuration mode. To remove a server group from the configuration list, enter the no form of this command.
aaa group server tacacs+ group-name
no aaa group server tacacs+ group-name
Syntax Description
tacacs+
| Use only the TACACS+ server hosts.
|
group-name
| Character string used to name the group of servers.
|
To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration mode. Use the no form of this command to disable use of the specified interface IP address.
ip tacacs source-interface subinterface-name
no ip tacacs source-interface
Syntax Description
subinterface-name
| Name of the interface that TACACS+ uses for all of its outgoing packets.
|
To configure the IP address of the TACACS+ server for the group server, use the server command in group server configuration mode. To remove the IP address of the RADIUS server, enter the no form of this command.
server ip-address
no server ip-address
Syntax Description
ip-address
| IP address of the selected server.
|
To send only a username to a specified server when a direct request is issued, use the tacacs-server directed-request command in global configuration mode. Use the no form of this command to send the entire string to the TACACS+ server.
tacacs-server directed-request [ restricted ] [ no-truncate ]
no tacacs-server directed-request
Syntax Description
restricted
| Restrict queries to directed request servers only.
|
no-truncate
| Do not truncate the @hostname from the username.
|
To specify a TACACS+ host, use the tacacs-server host command in global configuration mode. Use the no form of this command to delete the specified name or address.
tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]
no tacacs-server host hostname
Syntax Description
hostname
| Name or IP address of the host.
|
single-connection
| (Optional) Specify that the router maintain a single open connection for confirmation from a AAA/TACACS+ server (CiscoSecure Release 1.0.1 or later). This command contains no autodetect and fails if the specified host is not running a CiscoSecure daemon.
|
port
| (Optional) Specify a server port number. This option overrides the default, which is port 49.
|
integer
| (Optional) Port number of the server. Valid port numbers range from 1 to 65535.
|
timeout
| (Optional) Specify a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.
|
integer
| (Optional) Integer value, in seconds, of the timeout interval.
|
key
| (Optional) Specify an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only.
|
string
| (Optional) Character string specifying authentication and encryption key.
|
To set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. Use the no form of this command to disable the key.
tacacs-server key key
no tacacs-server key [key]
Syntax Description
key
| Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon.
|
Posted: Wed Jul 26 17:13:24 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.
