TACACS Configuration

tacacs configuration tacacs configuration show tacacs show tacacs \[command] show tacacs \[purpose] display terminal control configuration information \[view] system view \[notes] after modifying the device configuration, this command can be used to view the authentication type, timeout period, and communication key information of the tacacs terminal with the server \[use cases] sonic# show tacacs tacplus global auth type pap (default) tacplus global timeout 5 (default) tacplus global passkey \<empty string> (default) show tacacs status show tacacs status \[command] show tacacs status \[purpose] check the connection status between tacacs server and devices \[view] system view \[notes] use this command to check the connection status between the tacacs server and the device 'online' indicates that the connection status with the server is normal and authentication communication can be carried out normally offline indicates abnormal connectivity with the server, and the server is unable to perform tacacs authentication at this time \[use cases] sonic# show tacacs status server ip status \ 150 1 0 1 offline 192 168 0 78 online tacacs authtype {chap|pap|mschap|login} tacacs authtype {chap|pap|mschap|login} \[command] tacacs authtype {chap|pap|mschap|login} \[purpose] configure the authentication type for the global tacacs+server \[view] system configuration view \[notes] tacacs+supports multiple authentication types, including a login simple login protocol, where the username and password are sent in plaintext over the network b pap simple authentication protocol, where usernames and passwords are sent in plaintext over the network c chap a more secure authentication protocol than pap the device sends the username, encrypted password, and a 16 byte random number to the server the server searches for the corresponding password based on the username, and then encrypts the password based on the received random number and shared key the obtained result is compared with the received encrypted password if they are the same, it indicates that the authentication has been passed, otherwise it is not passed d mschap the microsoft extension of hap, typically used in windows environments by default, the device's authentication type is pap \[use cases] sonic(config)# tacacs authtype chap tacacs passkey tacacs passkey string \[command] tacacs passkey string no tacacs passkey \[purpose] configure shared keys for tacacs+servers globally \[view] system configuration view \[notes] by default, the tacacs+server shared key of the device is public this configuration will be displayed in encrypted form please save it after modification \[use cases] sonic(config)# tacacs passkey test123 tacacs timeout tacacs timeout time \[command] tacacs timeout time \[purpose] configure the response timeout for tacacs+servers globally \[parameter] parameter description description time transmission over time interval, second range 1 to 60, default is 5 \[view] system configuration view \[notes] if the device sends a request to the tacacs+server and still does not receive a response from the server after reaching the response timeout, it is considered that the connection with the server has timed out by default, the timeout is 5 seconds \[use cases] sonic(config)# tacacs timeout 3 tacacs tacacs ip address \[command] tacacs ip address \[timeout time out ]\[key string ]\[auth type {chap|pap|mschap|login}]\[port port num ] \[pri \<pri num>]\[mgmt vrf] \[purpose] configure tacacs+authentication server and specify relevant parameters \[parameter] parameter description description ip address tacacs+server ip address timeout transmission over time interval, second range 1 to 60, default is 5 key shared key, default is public auth type verification type, chap/pap/mschap/login， default is pap port specify the port number of the authentication server, default is 49 pri server priority, default value is 1 mgmt vrf when communicating with tacacs server through the management port and the management port belongs to mgmt vrf, this parameter needs to be configured \[view] system configuration view \[notes] the device administrator can use this command to configure the ip address of the tacacs server on the device, in order to achieve user authentication and command line authorization using the tacacs server \[use cases] sonic(config)# tacacs 192 168 2 2 do you need to enter shared secret \[y/n] y enter shared secret enter shared secret again