tacacs-server key

Syntax

tacacs-server key

no tacacs-server key

Description

The command tacacs-server key turns on the enhanced secure mode which uses the ciphertext for sensitive information during input.

After entering the command hide-sensitive-data, enable the enhanced secure mode for TACACS+ with the command tacacs-server-key to ensure enhanced security for sensitive information during input.

The no form of this command disables the enhanced secure mode of input for TACACS+.

Command context

config

Restrictions

  • This command is not allowed in enhanced secure mode.

Examples

Enabling tacacs-server key will hide sensitive information.

Switch(config)# tacacs-server key
Enter key-str: ********
Re-enter key-str:********

TACACS+ key configuration with include-credentials.

Switch(config)# tacacs-server key
	Enter key-str: ******** 
	Re-enter key-str:  ********

Switch(config)# tacacs-server host 10.0.0.10 key
	Enter key-str:  ********
	Re-enter key-str:  ********

Switch(config)# show include-credentials
	Stored in Configuration         : Yes	
	Enabled in Active Configuration : Yes

Switch(config)# show encrypt-credentials
	Encryption    : Disabled	
	Pre-shared Key: none

Switch(config)# show running-config

Running configuration:
	; J9850A Configuration Editor; Created on release #KB.16.03.0000x
	; Ver #0f:7f.ff.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:45
	hostname "HP-Switch-5406Rzl2"
	module A type j9989a
	module F type j9534a
	hide-sensitive-data
	include-credentials
	tacacs-server host 10.0.0.10 key "procurve"
	tacacs-server key "procurve"
	snmp-server community "public" unrestricted
	snmpv3 engineid "00:00:00:0b:00:00:a0:48:1c:f7:ee:00"
	oobm
   ip address dhcp-bootp
   exit
	vlan 1
   name "DEFAULT_VLAN"
   untagged A1-A24,F1-F24
   ip address dhcp-bootp
   exit

Switch(config)# show tacacs

 Status and Counters - TACACS Information
  Deadtime(min) : 0
  Timeout : 5
  Source IP Selection : Outgoing Interface
  Encryption Key : procurve

  Server IP Addr  Opens  Closes Aborts Errors Pkts Rx Pkts Tx OOBM
  --------------- ------ ------ ------ ------ ------- ------- ----
  10.0.0.10       0      0      0      0      0       0       No

TACACS+ key configuration with encrypt-credentials.

Switch(config)# show encrypt-credentials

	Encryption    : Enabled
	Pre-shared Key: none

Switch(config)# show include-credentials
	Stored in Configuration         : Yes
	Enabled in Active Configuration : Yes

Switch(config)# tacacs-server key
	Enter key-str: ******** 
	Re-enter key-str:  ********

Switch(config)# tacacs-server host 10.0.0.10 key
	Enter key-str:  ********
	Re-enter key-str:  ********

Switch(config)# show running-config

Running configuration:

	; J9850A Configuration Editor; Created on release #KB.16.03.0000x
	; Ver #0f:7f.ff.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:45
	; encrypt-cred 38qcQq/OETUfXNO7/eGOb5TgG3IBzILkhHOspcJkM2Y/5JvgL27NSkoQGjVEPz5a
	hostname "HP-Switch-5406Rzl2"
	module A type j9989a
	module F type j9534a
	encrypt-credentials
	hide-sensitive-data
	include-credentials
	tacacs-server host 10.0.0.10 encrypted-key
	"6T8PEZYO7uz4gIaWdWUg23gEZAjO33D21I6V2KOTECk="
	tacacs-server encrypted-key "HHa0HOmjKae6yzZ9Fn9JqZBuQhkGJV898+DHtb/3r9E="
	snmp-server community "public" unrestricted
	snmpv3 engineid "00:00:00:0b:00:00:a0:48:1c:f7:ee:00"
	oobm
   ip address dhcp-bootp
   exit
	vlan 1
   name "DEFAULT_VLAN"
   untagged A1-A24,F1-F24
   ip address dhcp-bootp
   exit

Switch(config)# show tacacs

 Status and Counters - TACACS Information

  Deadtime(min) : 0
  Timeout : 5
  Source IP Selection : Outgoing Interface
  Encryption Key : gJ5AeXfDFHJqjOOgOaa+NAmzneHDqs/aMqQuWsW01Qs=


  Server IP Addr  Opens  Closes Aborts Errors Pkts Rx Pkts Tx OOBM
  --------------- ------ ------ ------ ------ ------- ------- ----
  10.0.0.10       0      0      0      0      0       0       No

TACACS+ key configuration without include-credentials.

Switch(config)# hide-sensitive-data

Switch(config)# tacacs-server key	
	Enter key-str:  ******** 
 Re-enter key-str:  ******** 

Switch(config)# tacacs-server host 10.0.0.10 key
	Enter key-str:  ******** 
	Re-enter key-str:  ********
 
Switch(config)# show running-config

Running configuration:

 ; J9850A Configuration Editor; Created on release #KB.16.03.0000x 
 ; Ver #0f:7f.ff.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:45
	hostname "HP-Switch-5406Rzl2"
	module A type j9989a
	module F type j9534a
	hide-sensitive-data
	tacacs-server host 10.0.0.10 key "test1"
	tacacs-server key "test"
	snmp-server community "public" unrestricted
	oobm
   ip address dhcp-bootp
   exit
	vlan 1
   name "DEFAULT_VLAN"
   untagged A1-A24,F1-F24
   ip address dhcp-bootp
   exit

Switch(config)#show include-credentials
 Stored in Configuration         : No
	Enabled in Active Configuration : N/A

Switch(config)# show encrypt-credentials
	Encryption    : Disabled
	Pre-shared Key: none

Switch(config)# show tacacs
 Status and Counters - TACACS Information
		Deadtime(min) : 0
  Timeout : 5
  Source IP Selection : Outgoing Interface
  Encryption Key : procurve

  Server IP Addr  Opens  Closes Aborts Errors Pkts Rx Pkts Tx OOBM
  --------------- ------ ------ ------ ------ ------- ------- ----
  10.0.0.10       0      0      0      0      0       0       No

TACACS+ key configuration without hide-sensitive-data.

Switch(config)# tacacs-server key procurve
Switch(config)# tacacs-server host 10.0.0.10 key procurve

Switch(config)# show encrypt-credentials
	Encryption    : Enabled
	Pre-shared Key: none

Switch(config)# show running-config
	Running configuration:
	; J9850A Configuration Editor; Created on release #KB.16.03.0000x
	; Ver #0f:7f.ff.bb.ff.7c.59.fc.7b.ff.ff.fc.ff.ff.3f.ef:45
	; encrypt-cred 38qcQq/OETUfXNO7/eGOb5TgG3IBzILkhHOspcJkM2Y/5JvgL27NSkoQGjVEPz5a
	hostname "HP-Switch-5406Rzl2"
	module A type j9989a
	module F type j9534a
	encrypt-credentials
	tacacs-server host 10.0.0.10 encrypted-key
	"GU3k9AV3u4eKyxBERotdYG87TbHLyv1RxVBnP3KhDhs="
	tacacs-server encrypted-key "7ViIcKdWMqJzWKDn/bT6AiAAehx3ASz+nldMZ9TI5eg="
	snmp-server community "public" unrestricted
	oobm
   ip address dhcp-bootp
   exit
	vlan 1
   name "DEFAULT_VLAN"
   untagged A1-A24,F1-F24
   ip address dhcp-bootp
   exit

Switch(config)# show tacacs

 Status and Counters - TACACS Information
  Deadtime(min) : 0
  Timeout : 5
  Source IP Selection : Outgoing Interface
  Encryption Key : gJ5AeXfDFHJqjOOgOaa+NAmzneHDqs/aMqQuWsW01Qs=

  Server IP Addr  Opens  Closes Aborts Errors Pkts Rx Pkts Tx OOBM
  --------------- ------ ------ ------ ------ ------- ------- ----
  10.0.0.10       0      0      0      0      0       0       No