Skip to content
AsterNOS
Ask AI

TACACS Configuration

show tacacs

Section titled “show tacacs”

[Command] show tacacs

[Purpose] Display terminal control configuration information

[View] System view

[Notes] After modifying the device configuration, this command can be used to view the authentication type, timeout period, and communication key information of the TACACS terminal with the server.

[Use Cases]

sonic# show tacacs
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey <EMPTY_STRING> (default)

show tacacs status

Section titled “show tacacs status”

[Command] show tacacs status

[Purpose] Check the connection status between TACACS server and devices.

[View] System view

[Notes] Use this command to check the connection status between the TACACS server and the device. ‘online’ indicates that the connection status with the server is normal and authentication communication can be carried out normally. Offline indicates abnormal connectivity with the server, and the server is unable to perform TACACS authentication at this time.

[Use Cases]

sonic# show tacacs status
SERVER IP     STATUS
------------  --------
150.1.0.1     offline
192.168.0.78  online

tacacs authtype {chap|pap|mschap|login}

Section titled “tacacs authtype {chap|pap|mschap|login}”

[Command] tacacs authtype {chap|pap|mschap|login}

[Purpose] Configure the authentication type for the global TACACS+server

[View] System Configuration View

[Notes] TACACS+supports multiple authentication types, including:

a.Login: Simple login protocol, where the username and password are sent in plaintext over the network

b.PAP: Simple Authentication Protocol, where usernames and passwords are sent in plaintext over the network

c.CHAP: A more secure authentication protocol than PAP. The device sends the username, encrypted password, and a 16 byte random number to the server. The server searches for the corresponding password based on the username, and then encrypts the password based on the received random number and shared key. The obtained result is compared with the received encrypted password. If they are the same, it indicates that the authentication has been passed, otherwise it is not passed

d.MSCHAP: The Microsoft extension of HAP, typically used in Windows environments By default, the device’s authentication type is Pap.

[Use Cases]

sonic(config)# tacacs authtype chap

tacacs passkey

Section titled “tacacs passkey”

[Command] tacacs passkeystring no tacacs passkey

[Purpose] Configure shared keys for TACACS+servers globally

[View] System Configuration View

[Notes] By default, the TACACS+server shared key of the device is public.This configuration will be displayed in encrypted form. Please save it after modification.

[Use Cases]

sonic(config)# tacacs passkey test123

tacacs timeout

Section titled “tacacs timeout”

[Command] tacacs timeouttime

[Purpose] Configure the response timeout for TACACS+servers globally

[Parameter]

ParameterDescription
timeTransmission over time interval, SECOND range 1 to 60, default is 5

[View] System Configuration View

[Notes] If the device sends a request to the TACACS+server and still does not receive a response from the server after reaching the response timeout, it is considered that the connection with the server has timed out. By default, the timeout is 5 seconds.

[Use Cases]

sonic(config)# tacacs timeout 3

tacacs

Section titled “tacacs”

[Command] tacacsip-address**[timeouttime_out][keystring][auth-type {chap|pap|mschap|login}][portport_num] [pri <pri_num>][mgmt-vrf]**

[Purpose] Configure TACACS+authentication server and specify relevant parameters

[Parameter]

ParameterDescription
ip_addressTACACS+server IP address
timeoutTransmission over time interval, SECOND range 1 to 60, default is 5
keyShared key, default is public
auth-typeVerification type, chap/pap/mschap/login, Default is Pap
portSpecify the port number of the authentication server, default is 49
priServer priority, default value is 1
mgmt-vrfWhen communicating with TACACS server through the management port and the management port belongs to MGMT VRF, this parameter needs to be configured

[View] System Configuration View

[Notes] The device administrator can use this command to configure the IP address of the TACACS server on the device, in order to achieve user authentication and command-line authorization using the TACACS server.

[Use Cases]

sonic(config)# tacacs 192.168.2.2
Do you need to enter shared secret [y/n]: y
enter shared secret:
enter shared secret again