Specifications
9-63
Cisco MGX 8800/8900 Series Software Configuration Guide
Release 5.1, Part Number OL-6482-01, Rev. A0, January 25, 2005
Chapter 9 Switch Operating Procedures
Managing Remote (TACACS+) Authentication and Authorization
Configuring AAA Servers
To configure a Cisco MGX switch for remote TACACS+ authentication and authorization, you must
have an IP address for the remote AAA server. For encrypted authentication and authorization, you must
also have an encrypted key to apply at the AAA server and at the Cisco MGX switch.
Tip If you know the encryption key and the IP address the AAA server will use, you can configure the server
after the switch. The “Configuring User Authentication on the Switch” and “Configuring Command
Authorization on the Switch” sections describe the authentication and authorization that take place when
the AAA server is not available.
The exact procedure for configuring the AAA server can be found in the documentation for that product.
The following is a list of the general tasks that need to be performed:
• Install the AAA server.
• Configure the AAA server to use the TACACS+ protocol.
• Configure the AAA server IP address and provide it to the person that configures the Cisco MGX
switch.
• If encrypted authentication and authorization is planned, produce an encryption key and give it to
the person that configures the Cisco MGX switch.
• If required by the AAA server, configure the AAA server to use the IP address of each Cisco MGX
switch it will support. (Some AAA servers accept communications from any IP address if the
encryption key is correct.)
• Configure the AAA server to support the cisco user at the CISCO_GP level. We recommend that you
also configure users at the SERVICE_GP and SUPER_GP levels.
• Configure the AAA server to support additional users according to the requirements of your
business.
Configuring the Cisco MGX Switch to Access AAA Servers
The first step in configuring a Cisco MGX Switch for AAA server access is to configure the identity of
one or more AAA servers on the switch. The switch will not permit you to select TACACS+
authentication or authorization until at least one AAA server has been configured. To configure a Cisco
MGX switch for remote TACACS+ authentication and authorization, you must have an IP address for
the remote AAA server. For encrypted authentication and authorization, you must also configure an
encryption key at the switch and at the AAA server.
Tip If you know the encryption key and the IP address the AAA server will use, you can configure the server
after the switch. The “Configuring User Authentication on the Switch” and “Configuring Command
Authorization on the Switch” sections describe the authentication and authorization that take place when
the AAA server is not available.
To configure an AAA server, log in using a username with SERVICE_GP privileges or higher and enter
the cnfaaa-server command in the following format:
M8850_LA.7.PXM.a > cnfaaa-server tacacs+ -ip <ServerIp> [-port <ServerPort>] [-primary]
[-timeout <timeout>] [-dt <dt>] [-single <single>]