TACACS Configuration

show tacacs

[Command] show tacacs show tacacs config

[Purpose] Display terminal TACACS+ configuration information.

[View] System view

[Notes] After modifying device configurations, you can use this command to view information such as the authentication type, timeout period, and communication key for the TACACS terminal.

[Use Cases]

sonic# show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey <EMPTY_STRING> (default)

show tacacs status

[Command] show tacacs status

[Purpose] Display the TACACS server status

[View] System view

[Notes] Use this command to check the connection status between the TACACS server and the device. online indicates a normal connection status with the server, allowing authentication communication to proceed normally. offline indicates an abnormal connection status with the server, meaning the server cannot perform TACACS authentication at this time.

[Use Cases]

sonic# show tacacs status
SERVER IP     STATUS
------------ --------
192.168.0.78  online

tacacs timeout

[Command] tacacs ipaddress timeout time_out auth-type {chap|pap|mschap|login} port port_num pri pri_num mgmt-vrf use_mgmt_vrf

[Purpose] Configure the TACACS+ authentication server and specify the relevant parameters.

[Parameter]

Parameter	Description
ip_address	TACACS+ server IP address
time_out	Transmission timeout interval, SECOND range 1 to 60, default is 5
auth-type	Authentication type, chap/pap/mschap/login, default is pap
port_num	Interface number, TCP interface range is 1 to 65535, default value 49
pri_num	Priority, default value is 1
mgmt-vrf	Manage VRF, default is no vrf

[View] System configuration view

[Notes] Device administrators can use this command to configure the IP address of the TACACS server on the device, enabling user authentication and command-line authorization using the TACACS server.

[Use Cases]

sonic(config)# tacacs 192.168.2.2
Do you need to enter shared secret [y/n]: y
enter shared secret:
enter shared secret again:

tacacs authtype {chap|pap|mschap|login}

[Command] tacacs authtype {chap|pap|mschap|login}

[Purpose] Configure the authentication type for the global TACACS+ server

[View] System configuration view

[Notes] TACACS+ supports multiple authentication types, with the device supporting the following authentication methods:

Login: Simple Login Authentication Protocol, where the username and password are transmitted over the network in plaintext.
PAP: Simple Authentication Protocol, where the username and password are transmitted over the network in plaintext.
CHAP: A more secure authentication protocol than PAP. The device sends the username, an encrypted password, and a 16-byte random number to the server. The server locates the corresponding password based on the username, then encrypts the received password using the random number and a shared secret key. The result is compared with the received encrypted password. If they match, authentication succeeds; otherwise, it fails.
MSCHAP: A Microsoft extension of CHAP, commonly used in Windows environments.

By default, the device’s authentication type is set to PAP.

[Use Cases]

sonic(config)# tacacs authtype chap

tacacs passkey

[Command] tacacs passkey passwd no tacacs passkey

[Purpose] Configure the shared key for the global TACACS+ server

[View] System configuration view

[Notes] By default, the TACACS+ server shared key for the device is public.

[Use Cases]

sonic(config)# tacacs passkey test

tacacs timeout

[Command] tacacs timeout time_out no tacacs timeout

[Purpose] Configure the response timeout for the global TACACS+ server.

[Parameter]

Parameter	Description
time_out	Timeout time, in seconds, and the range is 1~60

[View] System configuration view

[Notes] After the device sends a request to the TACACS+ server, if the response timeout period elapses without receiving a response from the server, the connection to the server is considered timed out. By default, the timeout period is 5 seconds.

[Use Cases]

sonic(config)# tacacs timeout 5