Owner's Manual

ManualsBrandsNetgear ManualsHubsNetgear XCM8806

461

462

463

464

465

466

467

468

469

470

Chapter 17. Security | 467

NETGEAR 8800 User Manual

Configuring the TACACS+ Client Timeout Value

To configure the timeout if a server fails to respond, use the following command:

configure tacacs timeout <seconds>

To detect and recover from a TACACS+ server failure when the timeout has expired, the

switch makes one authentication attempt before trying the next designated TACACS+ server

or reverting to the local database for authentication. In the event that the switch still has IP

connectivity to the TACACS+ server, but a TCP session cannot be established, (such as a

failed TACACS+ daemon on the server), fail over happens immediately regardless of the

configured timeout value.

For example, if the timeout value is set for 3 seconds (the default value), it will take 3 seconds

to fail over from the primary TACACS+ server to the secondary TACACS+ server. If both the

primary and the secondary servers fail or are unavailable, it takes approximately 6 seconds

to revert to the local database for authentication.

Configuring the Shared Secret Password for TACACS+ Communications

The shared secret is a password that is configured on each network device and TACACS+

server. The shared secret is used to verify communication between network devices and the

server.

To configure the shared secret for client communications with TACACS+ servers, use the

following command:

configure tacacs [primary | secondary] shared-secret {encrypted} <string>

To configure the shared secret for a primary TACACS+ server, specify primary. To configure

the shared secret for a secondary TACACS+ server, specify

secondary.

Do not use the encrypted keyword to set the shared secret. The encrypted keyword prevents

the display of the shared secret in the

show configuration command output.

Enabling and Disabling the TACACS+ Client Service

The TACACS+ client service can be enabled or disabled without affecting the client

configuration. When the client service is disabled, the client does not communicate with the

TACACS+ server, so authentication must take place through the another service such as the

local database or a RADIUS server.

Note: You cannot use RADIUS and TACACS+ at the same time.

To enable the TACACS+ client service, use the following command:

enable tacacs

To disable the TACACS+ client service, use the following command:

disable tacacs