TACACS Configuration

11 min

show tacacs show tacacs \[command] show tacacs show tacacs config \[purpose] display terminal tacacs+ configuration information \[view] system view \[notes] after modifying device configurations, you can use this command to view information such as the authentication type, timeout period, and communication key for the tacacs terminal \[use cases] sonic# show tacacs tacplus global auth type pap (default) tacplus global timeout 5 (default) tacplus global passkey \<empty string> (default) show tacacs status show tacacs status \[command] show tacacs status \[purpose] display the tacacs server status \[view] system view \[notes] use this command to check the connection status between the tacacs server and the device online indicates a normal connection status with the server, allowing authentication communication to proceed normally offline indicates an abnormal connection status with the server, meaning the server cannot perform tacacs authentication at this time \[use cases] sonic# show tacacs status server ip status \ 192 168 0 78 online tacacs timeout tacacs timeout \[command] tacacs ipaddress timeout time out auth type {chap|pap|mschap|login} port port num pri pri num mgmt vrf use mgmt vrf \[purpose] configure the tacacs+ authentication server and specify the relevant parameters \[parameter] parameter description ip address tacacs+ server ip address time out transmission timeout interval, second range 1 to 60, default is 5 auth type authentication type, chap/pap/mschap/login, default is pap port num interface number, tcp interface range is 1 to 65535, default value 49 pri num priority, default value is 1 mgmt vrf manage vrf, default is no vrf \[view] system configuration view \[notes] device administrators can use this command to configure the ip address of the tacacs server on the device, enabling user authentication and command line authorization using the tacacs server \[use cases] sonic(config)# tacacs 192 168 2 2 do you need to enter shared secret \[y/n] y enter shared secret enter shared secret again tacacs authtype {chap|pap|mschap|login} tacacs authtype {chap|pap|mschap|login} \[command] tacacs authtype {chap|pap|mschap|login} \[purpose] configure the authentication type for the global tacacs+ server \[view] system configuration view \[notes] tacacs+ supports multiple authentication types, with the device supporting the following authentication methods login simple login authentication protocol, where the username and password are transmitted over the network in plaintext pap simple authentication protocol, where the username and password are transmitted over the network in plaintext chap a more secure authentication protocol than pap the device sends the username, an encrypted password, and a 16 byte random number to the server the server locates the corresponding password based on the username, then encrypts the received password using the random number and a shared secret key the result is compared with the received encrypted password if they match, authentication succeeds; otherwise, it fails mschap a microsoft extension of chap, commonly used in windows environments by default, the device's authentication type is set to pap \[use cases] sonic(config)# tacacs authtype chap tacacs passkey tacacs passkey \[command] tacacs passkey passwd no tacacs passkey \[purpose] configure the shared key for the global tacacs+ server \[view] system configuration view \[notes] by default, the tacacs+ server shared key for the device is public \[important notes] this configuration will be displayed in encrypted form please remember to save it after making changes \[use cases] sonic(config)# tacacs passkey test tacacs timeout tacacs timeout \[command] tacacs timeout time out no tacacs timeout \[purpose] configure the response timeout for the global tacacs+ server \[parameter] parameter description time out timeout time, in seconds, and the range is 1 60 \[view] system configuration view \[notes] after the device sends a request to the tacacs+ server, if the response timeout period elapses without receiving a response from the server, the connection to the server is considered timed out by default, the timeout period is 5 seconds \[use cases] sonic(config)# tacacs timeout 5