TACACS Commands

TACACS (Terminal Access Controller Access Control System), widely used in network environments, is a client/server protocol that allows remote access servers to communicate with a central server in order to authenticate dial-in users and authorize their access to the requested system or service.

TACACS CLI commands are categorized as follows:

• Configuration Commands
• Display Command

Configuration Commands

This section includes TACACS configuration commands.

tacacs-server host

Command Objective:
This command configures the TACACS server with the parameters (host, timeout, key) and specifies the address of one or more TACACS and the names of the IP host or hosts maintaining a TACACS+ server.

The no form of the command deletes the server entry from the TACACS server table.

Syntax:
tacacs-server host {< ipv4-address > | < ipv6-address > | < dns_host_name >} } [single-connection] [port < tcp port (1-65535 ) >] [timeout < time out in seconds(1-255) >] {key < secret key >}

no tacacs-server host { < ipv4-address > | < ipv6-address >| < dns_host_name >}

Parameter Description:

• < ipv4-address > - Configures the IPv4 address of the host
• < ipv6-address > - Configures the IPv6 address of the host
• < dns_host_name > - Configures the DNS (Domain Name System) name of the TACACS server host. This value is a string of maximum size 255.
• single-connection - Allows multiple sessions to be established over a single TCP connection for AAA functionalities
• port < tcp port (1-65535 ) > - Configures the TCP port number in which the multiple sessions are established. This value ranges from 1 to 65535.
• timeout < time out in seconds(1-255) > - Configures the time period (in seconds) till which a client waits for a response from the server before closing the TCP connection. The link between the server and the client gets disconnected if the specified time is exceeded. This value ranges from 1 to 255 seconds.
• key < secret key > - Specifies the authentication and encryption key for all TACACS communications between the authenticator and the TACACS server. The value is a string of a maximum length of 64. If the key value is not configured, then the default key "Altran" will be used.

Mode:
Global Configuration Mode

Prerequisites:
The maximum number of TACACS servers that can be configured is 5.
The no form of the command deletes the server entry from the TACACS server table.

Default:

• port - 49
• timeout - 5 seconds

Example:

Your Product (config)# tacacs-server host 12.0.0.100

TACACS+ server configured with default secret key !

Your Product (config)# tacacs-server host 2005::33

TACACS+ server configured with default secret key !

tacacs use-server address

Command Objective:
This command configures the active server address and selects an active server from the list of servers available in the TACACS server table.

The no form of the command disables the configured client active server.

Syntax:
tacacs use-server address { < ipv4-address > | < ipv6-address >| < dns_host_name >}

no tacacs use-server

Parameter Description:

• < ipv4-address > - Configures the IPv4 address of the host
• < ipv6-address > - Configures the IPv6 address of the host
• < dns_host_name > - Configures the DNS (Domain Name System) name of the TACACS server host. This value is a string of maximum size 255.

Mode:
Global Configuration Mode

Example:

Your Product (config)# tacacs use-server address 12.0.0.100

tacacs-server retransmit

Command Objective:
This command configures the retransmit value. It is the number of times the client searches the active server from the list of servers maintained in the TACACS client when active server is not configured. The retransmit value ranges from 1 to 5

The no form of the command resets the retransmit value to its default value

Syntax:
tacacs-server retransmit < retries (1-5) >

no tacacs-server retransmit

Mode:
Global Configuration Mode

Default:
2

Example:

Your Product (config)# tacacs-server retransmit 3

Display Command

This section includes the TACACS display command.

show tacacs

Command Objective:
This command displays the server (such as IP address, Single connection, Port and so on) and statistical log information (such as Authen. Starts sent, Authen. Continues sent, Authen. Enables sent, Authen. Aborts sent, and so on) for TACACS+ client.

Syntax:
show tacacs

Mode:
Privileged EXEC Mode

Example:

Your Product# show tacacs

Server : 1
Server address           : 12.0.0.100
Address Type             : IPV4
       Single Connection : no
       TCP port          : 49
       Timeout           : 5
       Secret Key        :
Server : 2
Server address           : abc.google.com
Address Type             : DNS
       Single Connection : yes
       TCP port          : 20
       Timeout           : 30
       Secret Key        :
 Active Server address: abc.google.com
Authen. Starts sent    : 0
Authen. Continues sent : 0
Authen. Enables sent   : 0
Authen. Aborts sent    : 0
Authen. Pass rvcd.     : 0
Authen. Fails rcvd.    : 0
Authen. Get User rcvd. : 0
Authen. Get Pass rcvd. : 0
Authen. Get Data rcvd. : 0
Authen. Errors rcvd.   : 0
Authen. Follows rcvd.  : 0
Authen. Restart rcvd.  : 0
Authen. Sess. timeouts : 0
Author. Requests sent  : 0
Author. Pass Add rcvd. : 0
Author. Pass Repl rcvd : 0
Author. Fails rcvd.    : 0
Author. Errors rcvd.   : 0
Author Follows rcvd.   : 0
Author. Sess. timeouts : 0
Acct. start reqs. sent : 0
Acct. WD reqs. sent    : 0
Acct. Stop reqs. sent  : 0
Acct. Success rcvd.    : 0
Acct. Errors rcvd.     : 0
Acct. Follows rcvd.    : 0
Acct. Sess. timeouts   : 0
Malformed Pkts. rcvd.  : 0
Socket failures        : 0
Connection failures    : 0