Specifications
9-64
Cisco MGX 8800/8900 Series Software Configuration Guide
Release 5.1, Part Number OL-6482-01, Rev. A0, January 25, 2005
Chapter 9 Switch Operating Procedures
Managing Remote (TACACS+) Authentication and Authorization
Table 9-29 describes the parameters for this command.
Table 9-29 Parameters for cnfaaa-server Command
Parameter Description
ServerIp This required parameter identifies the IP address of a target AAA server.
ServerPort When the target AAA server does not use the default port number for TACACS+ communications, you can
use this optional parameter to specify the correct port. The default port number is 49.
-primary When multiple AAA servers are configured, use this optional parameter to specify the primary or preferred
server to use for authentication and authorization. There can be up to three servers.
timeout Optionally, specifies how long the switch will wait for an authentication or authorization response from a
server. If no response is received by the end of the timeout period, the server is marked dead and the switch
does not try to access that server again until the end of the dead time period.
When a server is marked dead, the switch tries to access the next server in the configured list. If no AAA
servers respond, the switch uses the next configured method as described in the “Configuring User
Authentication on the Switch” and “Configuring Command Authorization on the Switch” sections.
You can specify the time out by entering a number in the range of 1 to 30 seconds, or by entering the default
keyword. The default timeout value is 5 seconds.
dt This optional parameter defines the dead time for a configured server. The dead time starts when a server fails
to respond. During the dead time, the switch will not attempt to use the unresponsive server. Instead, the
switch will use other configured servers, and if all servers are unresponsive, the switch uses other
authentication and authorization methods as described in the “Configuring User Authentication on the
Switch” and “Configuring Command Authorization on the Switch” sections.
You can specify the dead time out by entering a number in the range of 0 to 5 minutes, or by entering the
default keyword. The default dead time value is 0 minutes.
single This optional parameter selects either single-connection server communications or multiple-connection
server communications. If single-connection communications are selected, the switch attempts to direct all
authentication and authorization requests through a single TCP connection to the server. If single-connection
communications are disabled, multiple TCP connections are used for multiple authentication and
authorization requests.
Note When this feature is disabled (multiple-connection communications is enabled) and you are running
one or more scripts, we recommend executing commands no less than .6 seconds apart for each script.
For example, if two scripts are running at the same time, commands should be executed not less than
1.2 seconds apart. If commands are issued more frequently than this, the following symptoms can
appear:
• Telnet sessions take a long time to start.
• FTP sessions can fail.
• The following message can appear: Command execution currently restricted to root users only.
• The warning W_THROTTLED is logged once every 30 minutes while this occurs.
• In the dspaaa-stats command display, the # socket throttles row values will increment.
Valid settings for this parameter are true, false, and default, which produces the same result as selecting true.
The default configuration for single-connection communications is true.