If a TACACS server host is used for authentication, use
the tacacs-server host global configuration command. Use the
no form of this command to delete the specified name or address. The syntax
is
Rtr1(config)#tacacs-server host {hostname | ip address}
[single-connection] [port port#]
[timeout seconds] [key string]
Rtr1(config)#no
tacacs-server host hostname
Multiple tacacs-server host commands can be used
to specify additional host servers. The Cisco IOS software searches for hosts in
the order in which they’re specified. Use the single-connection, port, timeout,
and key options only when running AAA/TACACS+ server.
Because some of the parameters of the tacacs-server
host command override global settings made by the tacacs-server timeout and tacacs-server key
commands, this command can be used to enhance security on a network by uniquely
configuring individual TACACS+ connections.
The following example specifies a TACACS host named tac-serv1:
Rtr1(config)#aaa new-model
Rtr1(config)#tacacs-server host tac-serv1
The next AAA example specifies that the router first try the
CiscoSecure TACACS+ host 192.168.1.4. If 192.168.1.4 is unavailable, then use
tac-serv1:
Rtr1(config)#aaa new-model
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server host tac-serv1
The next AAA example specifies that the router consult the
CiscoSecure TACACS+ host named 192.168.1.4 on port number 51. The timeout value
for requests on this connection is three seconds. The encryption key is
a_secret.
Rtr1(config)#aaa new-model
Rtr1(config)#tacacs-server host 192.168.1.4 single-connection port 51
timeout 3 key a_secret
Sections
Comments (0 posted)
Syndication
