|
|
This chapter describes the function and displays the syntax for TACACS, Extended TACACS, and TACACS+ commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Security Command Reference.
To enable TACACS for ARAP authentication, use the arap use-tacacs line configuration command. Use the no form of this command to disable TACACS for ARAP authentication.
arap use-tacacs [single-line]| single-line | (Optional) Accepts the username and password in the username field. If you are using an older version of TACACS (before Extended TACACS), you must use this keyword. |
To specify what happens if the TACACS and Extended TACACS servers used by the enable command do not respond, use the enable last-resort global configuration command. Use the no form of this command to restore the default.
enable last-resort {password | succeed}| password | Allows you to enter enable mode by entering the privileged command level password. A password must contain from 1 to 25 uppercase and lowercase alphanumeric characters. |
| succeed | Allows you to enter enable mode without further question. |
To enable the use of TACACS to determine whether a user can access the privileged command level, use the enable use-tacacs global configuration command. Use the no form of this command to disable TACACS verification.
enable use-tacacsTo use the IP address of a specified interface for all outgoing TACACS packets, use the ip tacacs source-interface global configuration command. Use the no form of this command to disable use of the specified interface IP address.
ip tacacs source-interface subinterface-name| subinterface-name | Name of the interface that TACACS uses for all of its outgoing packets. |
To control the number of login attempts that can be made on a line set up for TACACS verification, use the tacacs-server attempts global configuration command. Use the no form of this command to remove this feature and restore the default.
tacacs-server attempts count| count | Integer that sets the number of attempts. The default is 3 attempts. |
To configure the Cisco IOS software to indicate whether a user can perform an attempted action under TACACS and Extended TACACS, use the tacacs-server authenticate global configuration command. Use the no form of this command to disable this feature.
tacacs-server authenticate {connection [always] enable | slip [always] [access-lists]}| connection | Configures a required response when a user makes a TCP connection. |
| enable | Configures a required response when a user enters the enable command. |
| slip | Configures a required response when a user starts a SLIP or PPP session. |
| always | (Optional) Performs authentication even when a user is not logged in. This option only applies to the slip keyword. |
| access-lists | (Optional) Requests and installs access lists. This option only applies to the slip keyword. |
To send only a username to a specified server when a direct request is issued, use the tacacs-server directed-request global configuration command. Use the no form of this command to disable the direct-request feature.
tacacs-server directed-requestTo enable an Extended TACACS mode, use the tacacs-server extended global configuration command. Use the no form of this command to disable the mode.
tacacs-server extendedTo specify a TACACS host, use the tacacs-server host global configuration command. Use the no form of this command to delete the specified name or address.
tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]| hostname | Name or IP address of the host. |
| single-connection | (Optional) Specify that the router maintain a single open connection for confirmation from a AAA/TACACS+ server (CiscoSecure Release 1.0.1 or later). This command contains no autodetect and fails if the specified host is not running a CiscoSecure daemon. |
| port | (Optional) Specify a server port number. This option overrides the default, which is port 49. |
| integer | (Optional) Port number of the server. Valid port numbers range from 1 to 65535. |
| timeout | (Optional) Specify a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only. |
| integer | (Optional) Integer value, in seconds, of the timeout interval. |
| key | (Optional) Specify an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only. |
| string | (Optional) Character string specifying authentication and encryption key. |
To set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon, use the tacacs-server key global configuration command. Use the no form of this command to disable the key.
tacacs-server key key| key | Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon. |
To cause the network access server to request the privileged password as verification, or to allow successful login without further input from the user, use the tacacs-server last-resort global configuration command. Use the no form of this command to restore the system to the default behavior.
tacacs-server last-resort {password | succeed}| password | Allows the user to access the EXEC command mode by entering the password set by the enable command. |
| succeed | Allows the user to access the EXEC command mode without further question. |
To specify how long the system will wait for login input (such as username and password) before timing out, use the tacacs-server login-timeout global configuration command. Use the no form of this command to restore the default value of 30 seconds.
tacacs-server login-timeout seconds| seconds | Integer that determines the number of seconds the system will wait for login input before timing out. Available settings are from 1 to 300 seconds. |
To cause a message to be transmitted to the TACACS server, with retransmission being performed by a background process for up to five minutes, use the tacacs-server notify global configuration command. Use the no form of this command to disable notification.
tacacs-server notify {connection [always] | enable | logout [always] | slip [always]}| connection | Specifies that a message be transmitted when a user makes a TCP connection. |
| always | (Optional) Sends a message even when a user is not logged in. This option applies only to SLIP or PPP sessions and can be used with the logout or slip keywords. |
| enable | Specifies that a message be transmitted when a user enters the enable command. |
| logout | Specifies that a message be transmitted when a user logs out. |
| slip | Specifies that a message be transmitted when a user starts a SLIP or PPP session. |
To specify that the first TACACS request to a TACACS server be made without password verification, use the tacacs-server optional-passwords global configuration command. Use the no form of this command to restore the default.
tacacs-server optional-passwordsTo specify the number of times the Cisco IOS software searches the list of TACACS server hosts before giving up, use the tacacs-server retransmit global configuration command. Use the no form of this command to disable retransmission.
tacacs-server retransmit retries| retries | Integer that specifies the retransmit count. |
To set the interval that the server waits for a server host to reply, use the tacacs-server timeout global configuration command. Use the no form of this command to restore the default.
tacacs-server timeout seconds| seconds | Integer that specifies the timeout interval in seconds (between 1 and 300). The default is 5 seconds. |
|
|