Configure NAS to
TACACS+ Server Communication
Chapter 3 looked at the various commands to implement AAA
features on the NAS. This chapter reviews the basic commands to allow the AAA
client running on a NAS to locate and communicate with a Cisco Secure ACS
TACACS+ server.
To define one or more TACACS servers, use the
tacacs-server host global configuration command. Use the no form of this
command to delete the specified server. The syntax is
Rtr1(config)#tacacs-server host {hostname | ip address}
[single-connection] [port port#]
[timeout seconds] [key string]
Rtr1(config)#no
tacacs-server host hostname
Multiple tacacs-server host commands can be used
to specify additional host servers. The Cisco IOS software searches for hosts in
the order in which they’re specified. Use the single-connection, port, timeout,
and key options only when running an AAA/TACACS+ server.
Because some of the parameters of the tacacs-server
host command override global settings made by the tacacs-server timeout and tacacs-server key
commands, this command can be used to enhance security on a network by uniquely
configuring individual TACACS+ connections.
The following AAA example specifies that the router first try the
CiscoSecure TACACS+ host 192.168.1.4. If 192.168.1.4 is unavailable, then use
tac-serv1.
Rtr1(config)#aaa new-model
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server host tac-serv1
The next AAA example specifies that the router consult the
CiscoSecure TACACS+ host named 192.168.1.4 on port number 51. The timeout value
for requests on this connection is three seconds. The encryption key is
a_secret.
Rtr1(config)#aaa new-model
Rtr1(config)#tacacs-server host 192.168.1.4 single-connection port 51
timeout 3 key a_secret
Sections
Comments (0 posted)
Syndication
