Encryption options in the switch
When configured, the encryption key causes the switch to encrypt the TACACS+ packets it sends to the server. When left at "null", the TACACS+ packets are sent in clear text. The encryption key (or just "key") you configure in the switch must be identical to the encryption key configured in the corresponding TACACS+ server. If the key is the same for all TACACS+ servers the switch uses for authentication, then configure a global key in the switch. If the key is different for one or more of these servers, use "server-specific" keys in the switch. (If you configure both a global key and one or more per-server keys, the per-server keys overrides the global key for the specified servers.)
For example, you would use the next command to configure a global encryption key in the switch to match a key entered as north40campus in two target TACACS+ servers. (That is, both servers use the same key for your switch.) Note that you do not need the server IP addresses to configure a global key in the switch:
switch(config)# tacacs-server key north40campus
Suppose that you subsequently add a third TACACS+ server (with an IP address of 10.28.227.87) that has south10campus for an encryption key. Because this key is different than the one used for the two servers in the previous example, you must assign a server-specific key in the switch that applies only to the designated server:
switch(config)# tacacs-server host 10.28.227.87 key south10campus
With both of the above keys configured in the switch, the south10campus key overrides the north40campus key only when the switch tries to access the TACACS+ server having the 10.28.227.87 address.