Home » Cisco Manuals » Bridges & Routers » Cisco WS-C2960S-24PD-L » Manual Viewer

Cisco WS-C2960S-24PD-L Software Guide - Page 179

Configuring TACACS+, Configuring the TACACS+ Server Host

View all Cisco WS-C2960S-24PD-L manuals

Add to My Manuals
Save this manual to your list of manuals

Page 179 highlights

Chapter 6 Configuring the System Configuring TACACS+ Configuring TACACS+ The Terminal Access Controller Access Control System Plus (TACACS+) provides the means to manage network security (authentication, authorization, and accounting [AAA]) from a server. This section describes how TACACS+ works and how you can configure it. Note For complete syntax and usage information for the commands described in this section, refer to the Cisco IOS Release 12.0 Security Command Reference. You can only configure this feature by using the CLI; you cannot configure it through CMS. Note If TACACS+ is configured on the command switch, TACACS+ must also be configured on all member switches to access the switch cluster from CMS. For more information about switch clusters, see the Chapter 5, "Clustering Switches." In large enterprise networks, the task of administering passwords on each device can be simplified by centralizing user authentication on a server. TACACS+ is an access-control protocol that allows a switch to authenticate all login attempts through a central server. The network administrator configures the switch with the address of the TACACS+ server, and the switch and the server exchange messages to authenticate each user before allowing access to the management console. TACACS+ consists of three services: authentication, authorization, and accounting. Authentication determines who the user is and whether or not the user is allowed access to the switch. Authorization is the action of determining what the user is allowed to do on the system. Accounting is the action of collecting data related to resource usage. The TACACS+ feature is disabled by default. However, you can enable and configure it by using the CLI. You can access the CLI through the console port or through Telnet. To prevent a lapse in security, you cannot configure TACACS+ through a network-management application. When enabled, TACACS+ can authenticate users accessing the switch through the CLI. Note Although the TACACS+ configuration is performed through the CLI, the TACACS+ server authenticates HTTP connections that have been configured with a privilege level of 15. Configuring the TACACS+ Server Host Use the tacacs-server host command to specify the names of the IP host or hosts maintaining an AAA/TACACS+ server. On TACACS+ servers, you can configure these additional options: • Number of seconds that the switch waits while trying to contact the server before timing out. • Encryption key to encrypt and decrypt all traffic between the router and the daemon. • Number of attempts that a user can make when entering a command that is being authenticated by TACACS+. 78-6511-08 Catalyst 2900 Series XL and Catalyst 3500 Series XL Software Configuration Guide 6-51

Section	Page
Catalyst2900SeriesXL and Catalyst3500 SeriesXL Software Configuration Guide	1
Contents	3
Preface	15
Audience	15
Purpose	15
Organization	16
Conventions	17
Related Publications	18
Obtaining Documentation	19
World Wide Web	19
Documentation CD-ROM	19
Ordering Documentation	19
Documentation Feedback	19
Obtaining Technical Assistance	20
Cisco.com	20
Technical Assistance Center	20
Cisco TAC Web Site	21
Cisco TAC Escalation Center	21
Overview	23
Features	23
Management Options	28
Management Interface Options	28
Advantages of Using CMS and Clustering Switches	29
Network Configuration Examples	30
Design Concepts for Using the Switch	30
Small to Medium-Sized Network Configuration	33
Collapsed Backbone and Switch Cluster Configuration	35
Large Campus Configuration	37
Hotel Network Configuration	39
Multidwelling Configuration	41
Long-Distance, High-Bandwidth Transport Configuration	43
Where to Go To Next	43
Getting Started with CMS	45
Features	46
Front Panel View	48
Cluster Tree	49
Front-Panel Images	50
Redundant Power System LED	51
Port Modes and LEDs	52
VLAN Membership Modes	56
Topology View	57
Topology Icons	59
Device and Link Labels	60
Colors in the Topology View	61
Topology Display Options	61
Menus and Toolbar	62
Menu Bar	62
Toolbar	67
Front Panel View Popup Menus	68
Device Popup Menu	68
Port Popup Menu	68
Topology View Popup Menus	69
Link Popup Menu	69
Device Popup Menus	70
Interaction Modes	72
Guide Mode	72
Expert Mode	72
Wizards	72
Tool Tips	73
Online Help	73
CMS Window Components	74
Host Name List	74
Tabs, Lists, and Tables	75
Icons Used in Windows	75
Buttons	75
Accessing CMS	76
Access Modes in CMS	77
Verifying Your Changes	78
Change Notification	78
Error Checking	78
Saving Your Changes	78
Using Different Versions of CMS	79
Where to Go Next	79
Getting Started with the CLI	81
Command Usage Basics	82
Accessing Command Modes	82
Specifying Ports in Interface Configuration Mode	84
Abbreviating Commands	84
Using the No and Default Forms of Commands	85
Redisplaying a Command	85
Getting Help	85
Command-Line Error Messages	86
Accessing the CLI	87
Accessing the CLI from a Browser	87
Saving Configuration Changes	88
Where to Go Next	88
General Switch Administration	89
Initial Switch Configuration	90
Switch Software Releases	90
Console Port Access	91
HTTP Access to CMS	91
Telnet Access to the CLI	92
SNMP Network Management Platforms	93
Using FTP to Access the MIB Files	93
Using SNMP to Access MIB Variables	94
Default Settings	95
Clustering Switches	101
Understanding Switch Clusters	102
Command Switch Characteristics	103
Standby Command Switch Characteristics	103
Candidate Switch and Member Switch Characteristics	104
Planning a Switch Cluster	105
Automatic Discovery of Cluster Candidates and Members	105
Discovery through CDP Hops	106
Discovery through Non-CDP-Capable and Noncluster-Capable Devices	107
Discovery through the Same Management VLAN	108
Discovery through Different Management VLANs	109
Discovery of Newly Installed Switches	111
HSRP and Standby Command Switches	112
Virtual IP Addresses	113
Other Considerations for Cluster Standby Groups	113
Automatic Recovery of Cluster Configuration	115
IP Addresses	115
Host Names	116
Passwords	116
SNMP Community Strings	116
TACACS+ and RADIUS	117
Access Modes in CMS	117
Management VLAN	118
Network Port	119
NAT Commands	119
LRE Profiles	119
Availability of Switch-Specific Features in Switch Clusters	119
Creating a Switch Cluster	119
Enabling a Command Switch	120
Adding Member Switches	121
Creating a Cluster Standby Group	123
Verifying a Switch Cluster	125
Using the CLI to Manage Switch Clusters	126
Catalyst1900 and Catalyst2820 CLI Considerations	126
Using SNMP to Manage Switch Clusters	127
Configuring the System	129
Changing IP Information	130
Manually Assigning and Removing Switch IP Information	130
Using DHCP-Based Autoconfiguration	131
Understanding DHCP-Based Autoconfiguration	131
DHCP Client Request Process	132
Configuring the DHCP Server	133
Configuring the TFTP Server	133
Configuring the Domain Name and the DNS	134
Configuring the Relay Device	135
Obtaining Configuration Files	136
Example Configuration	137
Assigning Passwords and Privilege Levels	139
Setting the System Date and Time	140
Configuring Daylight Saving Time	140
Configuring the Network Time Protocol	141
Configuring the Switch as an NTP Client	141
Enabling NTP Authentication	141
Configuring the Switch for NTP Broadcast-Client Mode	141
Configuring CDP	141
Configuring CDP for Extended Discovery	142
Managing the MAC Address Tables	143
MAC Addresses and VLANs	143
Changing the Address Aging Time	144
Removing Dynamic Address Entries	144
MAC Address Notification	145
Adding Secure Addresses	146
Removing Secure Addresses	146
Adding Static Addresses	147
Removing Static Addresses	147
Configuring Static Addresses for EtherChannel Port Groups	148
Configuring CGMP	148
Enabling the Fast Leave Feature	149
Disabling the CGMP Fast Leave Feature	149
Changing the CGMP Router Hold-Time	150
Removing Multicast Groups	150
Configuring IGMP Filtering	151
Configuring IGMP Profiles	151
Applying IGMP Filters	153
Setting the Maximum Number of IGMP Groups	154
Configuring MVR	155
Using MVR in a Multicast Television Application	155
Configuration Guidelines and Limitations	157
Setting MVR Parameters	158
Configuring MVR	159
Managing the ARP Table	160
Configuring STP	161
Supported STP Instances	161
Using STP to Support Redundant Connectivity	162
Disabling STP	162
Accelerating Aging to Retain Connectivity	162
Configuring STP and UplinkFast in a Cascaded Cluster	163
Configuring Redundant Links By Using STP UplinkFast	164
Enabling STP UplinkFast	165
Configuring Cross-Stack UplinkFast	165
How CSUF Works	165
Events that Cause Fast Convergence	167
Limitations	167
Connecting the Stack Ports	168
Configuring Cross-Stack UplinkFast	169
Changing the STP Parameters for a VLAN	170
Changing the STP Implementation	170
Changing the Switch Priority	170
Changing the BPDU Message Interval	171
Changing the Hello BPDU Interval	171
Changing the Forwarding Delay Time	171
STP Port States	172
Enabling the Port Fast Feature	172
Changing the Path Cost	173
Changing the Port Priority	173
Configuring STP Root Guard	174
Configuring BPDU Guard	175
Configuring SNMP	176
Disabling and Enabling SNMP	176
Entering Community Strings	177
Adding Trap Managers	177
Configuring TACACS+	179
Configuring the TACACS+ Server Host	179
Configuring Login Authentication	180
Specifying TACACS+ Authorization for EXEC Access and Network Services	181
Starting TACACS+ Accounting	182
Configuring a Switch for Local AAA	182
Controlling Switch Access with RADIUS	183
Understanding RADIUS	183
RADIUS Operation	184
Configuring RADIUS	185
Default RADIUS Configuration	185
Identifying the RADIUS Server Host	186
Configuring RADIUS Login Authentication	188
Defining AAA Server Groups	190
Configuring RADIUS Authorization for User Privileged Access and Network Services	192
Starting RADIUS Accounting	193
Configuring Settings for All RADIUS Servers	193
Configuring the Switch to Use Vendor-Specific RADIUS Attributes	194
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication	195
Displaying the RADIUS Configuration	196
Configuring the Switch for Local Authentication and Authorization	197
Configuring the Switch Ports	199
Changing the Port Speed and Duplex Mode	200
Connecting to Devices That Do Not Autonegotiate	200
Half Duplex with Back Pressure	200
Full Duplex with Flow Control	200
Setting Speed and Duplex Parameters	201
Configuring Flow Control on Gigabit Ethernet Ports	201
Configuring Flooding Controls	202
Enabling Storm Control	202
Disabling Storm Control	203
Blocking Flooded Traffic on a Port	203
Resuming Normal Forwarding on a Port	203
Enabling a Network Port	204
Disabling a Network Port	204
Configuring UniDirectional Link Detection	205
Creating EtherChannel Port Groups	205
Understanding EtherChannel Port Grouping	206
Port Group Restrictions on Static-Address Forwarding	206
Creating EtherChannel Port Groups	207
Configuring Protected Ports	207
Enabling Port Security	208
Defining the Maximum Secure Address Count	208
Enabling Port Security	208
Disabling Port Security	209
Configuring Port Security Aging	209
Configuring SPAN	210
Enabling SPAN	210
Disabling SPAN	210
Configuring Voice Ports	211
Preparing a Port for a CiscoIP Phone Connection	211
Configuring a Port to Connect to a CiscoIP Phone	212
Overriding the CoS Priority of Incoming Frames	212
Configuring Voice Ports to Carry Voice and Data Traffic on Different VLANs	213
Configuring Inline Power on the Catalyst3524-PWR Ports	213
Configuring the LRE Ports	214
LRE Links and LRE Profiles	214
Types of LRE Profiles	215
Environmental Considerations for LRE Links	216
Considerations for Using LRE Profiles	217
CPE Ethernet Links	219
Considerations for Connected Cisco575LRE CPEs	219
Considerations for Connected Cisco585LRE CPEs	220
Assigning a Public Profile to All LRE Ports	220
Assigning a Private Profile to an LRE Port	221
Configuring VLANs	223
Overview	224
Management VLANs	225
Changing the Management VLAN for a New Switch	226
Changing the Management VLAN Through a Telnet Connection	226
Assigning VLAN Port Membership Modes	227
VLAN Membership Combinations	228
Assigning Static-Access Ports to a VLAN	229
Overlapping VLANs and Multi-VLAN Ports	229
Using VTP	231
The VTP Domain	231
VTP Modes and Mode Transitions	232
VTP Advertisements	233
VTP Version 2	233
VTP Pruning	234
VTP Configuration Guidelines	235
Domain Names	235
VTP Version Numbers	235
Passwords	236
Upgrading from Previous Software Releases	236
VTP Version	237
Default VTP Configuration	237
Configuring VTP	238
Configuring VTP Server Mode	238
Configuring VTP Client Mode	239
Disabling VTP (VTP Transparent Mode)	240
Enabling VTP Version 2	240
Disabling VTP Version 2	241
Enabling VTP Pruning	241
Monitoring VTP	242
VLANs in the VTP Database	242
Token Ring VLANs	242
VLAN Configuration Guidelines	243
Default VLAN Configuration	243
Configuring VLANs in the VTP Database	245
Adding a VLAN	246
Modifying a VLAN	246
Deleting a VLAN from the Database	247
Assigning Static-Access Ports to a VLAN	247
How VLAN Trunks Work	248
IEEE 802.1Q Configuration Considerations	248
Trunks Interacting with Other Features	249
Configuring a Trunk Port	250
Disabling a Trunk Port	251
Defining the Allowed VLANs on a Trunk	251
Changing the Pruning-Eligible List	252
Configuring the Native VLAN for Untagged Traffic	252
Configuring 802.1p Class of Service	253
How Class of Service Works	253
Port Priority	253
Port Scheduling	253
Configuring the CoS Port Priorities	254
Load Sharing Using STP	254
Load Sharing Using STP Port Priorities	254
Configuring STP Port Priorities and Load Sharing	255
Load Sharing Using STP Path Cost	256
How the VMPS Works	258
Dynamic Port VLAN Membership	258
VMPS Database Configuration File	259
VMPS Configuration Guidelines	260
Default VMPS Configuration	261
Configuring Dynamic VLAN Membership	261
Configuring Dynamic Ports on VMPS Clients	262
Reconfirming VLAN Memberships	262
Changing the Reconfirmation Interval	263
Changing the Retry Count	263
Administering and Monitoring the VMPS	264
Troubleshooting Dynamic Port VLAN Membership	264
Dynamic Port VLAN Membership Configuration Example	264
Troubleshooting	267
Statistics	268
Avoiding Configuration Conflicts	273
Avoiding Autonegotiation Mismatches	274
GBIC Security and Identification	274
Troubleshooting LRE Port Configuration	275
Troubleshooting CMS Sessions	277
Determining Why a Switch Is Not Added to a Cluster	280
Copying Configuration Files to Troubleshoot Configuration Problems	281
Troubleshooting Switch Software Upgrades	282
Recovery Procedures	284
Recovering from Lost Member Connectivity	284
Recovering from a Command Switch Failure	284
Replacing a Failed Command Switch with a Cluster Member	285
Replacing a Failed Command Switch with Another Switch	287
Recovering from a Failed Command Switch Without Replacing the Command Switch	289
Recovering from a Lost or Forgotten Password	290
Recovering from Corrupted Software	292
System Messages	293
Overview	293
How to Read System Messages	294
Error Message Traceback Reports	296
Error Message and Recovery Procedures	296
AAAA Messages	297
CAPITOLA Messages	299
CDP Messages	299
CHASSIS Message	300
CMP Messages	300
CPU_NET Message	301
ENVIRONMENT Messages	301
FRANK Messages	302
GBIC_1000BASET Messages	307
GBIC_SECURITY Messages	308
GigaStack Messages	309
HW_MEMORY Messages	310
INTERFACE Messages	311
IP Messages	311
LRE CPE Messages	312
LRE_LINK Messages	313
MAT Messages	314
MIRROR Messages	315
MODULES Messages	316
PERF5_HALT_MSG Message	317
PM Messages	317
PMSM Messages	320
PORT_SECURITY Messages	321
PRUNING Messages	321
RAC Message	325
REGISTORS Messages	325
RTD Messages	326
SNMP Messages	327
SPANTREE Messages	327
SPANTREE_FAST Messages	330
STORM_CONTROL Message Messages	331
SW_VLAN Messages	331
SYS Messages	333
TAC Messages	336
TTYDRIVER Messages	337
VQPCLIENT Messages	338
VTP Message	341

Match case Limit results 1 per page

6-51

Catalyst 2900 Series XL and Catalyst 3500 Series XL Software Configuration Guide

78-6511-08

Chapter 6

Configuring the System

Configuring TACACS+

The Terminal Access Controller Access Control System Plus (TACACS+) provides the means to manage

network security (authentication, authorization, and accounting [AAA]) from a server. This section

describes how TACACS+ works and how you can configure it.

Note

For complete syntax and usage information for the commands described in this section, refer to the

Cisco

IOS Release 12.0 Security Command Reference

You can only configure this feature by using the CLI; you cannot configure it through CMS.

Note

If TACACS+ is configured on the command switch, TACACS+ must also be configured on all member

switches to access the switch cluster from CMS. For more information about switch clusters, see the

Chapter 5, “Clustering Switches.”

In large enterprise networks, the task of administering passwords on each device can be simplified by

centralizing user authentication on a server. TACACS+ is an access-control protocol that allows a switch

to authenticate all login attempts through a central server. The network administrator configures the

switch with the address of the TACACS+ server, and the switch and the server exchange messages to

authenticate each user before allowing access to the management console.

TACACS+ consists of three services: authentication, authorization, and accounting. Authentication

determines who the user is and whether or not the user is allowed access to the switch. Authorization is

the action of determining what the user is allowed to do on the system. Accounting is the action of

collecting data related to resource usage.

The TACACS+ feature is disabled by default. However, you can enable and configure it by using the

CLI. You can access the CLI through the console port or through Telnet. To prevent a lapse in security,

you cannot configure TACACS+ through a network-management application. When enabled,

TACACS+ can authenticate users accessing the switch through the CLI.

Note

Although the TACACS+ configuration is performed through the CLI, the TACACS+ server

authenticates HTTP connections that have been configured with a privilege level of 15.

Configuring the TACACS+ Server Host

Use the

tacacs-server host

command to specify the names of the IP host or hosts maintaining an

AAA/TACACS+ server. On TACACS+ servers, you can configure these additional options:

•

Number of seconds that the switch waits while trying to contact the server before timing out.

•

Encryption key to encrypt and decrypt all traffic between the router and the daemon.

•

Number of attempts that a user can make when entering a command that is being authenticated by

TACACS+.