Owner's Manual
Chapter 17. Security | 469
NETGEAR 8800 User Manual
• Enabling and Disabling TACACS+ Accounting on page 470
• TACACS+ Accounting Configuration Example on page 470
Specifying the Accounting Server Addresses
Before the TACACS+ client software can communicate with an TACACS+ accounting server,
you must specify the server address in the client software. You can specify up to two
accounting servers, and you can use either an IP address or a host name to identify each
server.
To specify TACACS+ accounting servers, use the following command:
configure tacacs-accounting [primary | secondary] server [<ipaddress> |
<hostname>] {<udp_port>} client-ip <ipaddress> {vr <vr_name>}
To configure the primary TACACS+ accounting server, specify primary. To configure the
secondary TACACS+ accounting server, specify
secondary.
Configuring the TACACS+ Client Accounting Timeout Value
To configure the timeout if a server fails to respond, use the following command:
configure tacacs-accounting timeout <seconds>
To detect and recover from a TACACS+ accounting server failure when the timeout has
expired, the switch makes one authentication attempt before trying the next designated
TACACS+ accounting server or reverting to the local database for authentication. In the
event that the switch still has IP connectivity to the TACACS+ accounting server, but a TCP
session cannot be established, (such as a failed TACACS+ daemon on the accounting
server), fail over happens immediately regardless of the configured timeout value.
For example, if the timeout value is set for 3 seconds (the default value), it takes 3 seconds to
fail over from the primary TACACS+ accounting server to the secondary TACACS+
accounting server. If both the primary and the secondary servers fail or are unavailable, it
takes approximately 6 seconds to revert to the local database for authentication.
Configuring the Shared Secret Password for TACACS+ Accounting Servers
The shared secret is a password that is configured on each network device and TACACS+
accounting server. The shared secret is used to verify communication between network
devices and the server.
To configure the shared secret for client communications with TACACS+ accounting servers,
use the following command:
configure tacacs-accounting [primary | secondary] shared-secret {encrypted}
<string>
To configure the primary TACACS+ accounting server, specify primary. To configure the
secondary TACACS+ accounting server, specify
secondary.
Do not use the encrypted keyword to set the shared secret. The encrypted keyword prevents
the display of the shared secret in the
show configuration command output.