Specifications

ManualsBrandsCisco ManualsComputer equipmentWAE-7326-K9

661

662

663

664

665

666

667

668

669

670

3-603

Cisco Wide Area Application Services Command Reference

OL-21611-01

Chapter 3 CLI Commands

(config) tacacs

You can use the TACACS+ remote database to maintain login and configuration privileges for

administrative users. The tacacs host command allows you to configure the network parameters required

to access the remote database.

Use the tacacs key command to specify the TACACS+ key, used to encrypt the packets transmitted to

the server. This key must be the same as the one specified on the server daemon. The maximum number

of characters in the key should not exceed 99 printable ASCII characters (except tabs). An empty key

string is the default. All leading spaces are ignored; spaces within and at the end of the key string are not

ignored. Double quotes are not required even if there are spaces in the key, unless the quotes themselves

are part of the key.

The tacacs timeout is the number of seconds that the WAAS device waits before declaring a timeout on

a request to a particular TACACS+ server. The range is from 1 to 20 seconds, with 5 seconds as the

default. The number of times that the WAAS device repeats a retry-timeout cycle before trying the next

TACACS+ server is specified by the tacacs retransmit command. The default is two retry attempts.

Three unsuccessful login attempts are permitted. TACACS+ logins may appear to take more time than

local logins depending on the number of TACACS+ servers and the configured timeout and retry values.

Use the tacacs password ascii command to specify the TACACS+ password type as ASCII. The default

password type is PAP (Password Authentication Protocol).When the no tacacs password ascii

command is used to disable the ASCII password type, the password type is once again reset to PAP.

You can configure multiple TACACS+ servers; authentication is attempted on the primary server first.

If the primary server is unreachable, then authentication is attempted on the other servers in the

TACACS+, in the order in which they were configured. If authentication fails for any reason other than

a server is unreachable, authentication is not attempted on the other servers in the farm. This process

applies regardless of the setting of the authentication fail-over server-unreachable command.

Examples The following example shows how to configure the key used in encrypting packets:

WAE(config)# tacacs key human789

The following example shows how to configure the host named spearhead as the primary TACACS+

server:

WAE(config)# tacacs host spearhead primary

The following example shows how to set the timeout interval for the TACACS+ server:

WAE(config)# tacacs timeout 10

The following example shows how to set the number of times that authentication requests are retried

(retransmitted) after a timeout:

WAE(config)# tacacs retransmit 5

The following example shows the password type to be PAP by default:

WAE# show tacacs

Configuration Authentication for Console/Telnet Session: enabled (secondary)

TACACS+ Configuration:

---------------------

TACACS+ Authentication is off

Key = *****

Timeout = 5

Retransmit = 2

Password type: pap