Configuring server specific encryption key
Syntax
tacacs-server host <ip-addr | ipv6 addr> [key <key-string> | encrypted-key <key-string> | [oobm]
When the switch is in enhanced secure mode, commands that take a secret key as a parameter have the echo of the secret typing replaced with asterisks. The input for <key-string> is prompted for interactively.
tacacs-server host <ip-addr | ipv6 addr>
no tacacs-server host <ip-addr | ipv6 addr>
Removes a TACACS+ server assignment (including its server-specific encryption key, if any).
tacacs-server [key <key-string> | encrypted-key <key-string>]
Configures an optional global encryption key. Keys configured in the switch must exactly match the encryption keys configured in the TACACS+ servers that the switch attempts to use for authentication. The encrypted-key parameter configures a global encryption key, specified using a base64-encoded aes-256 encrypted string.
tacacs-server key
no tacacs-server key
Removes the optional global encryption key. It does not affect any server-specific encryption key assignments.
tacacs-server encrypted-key <key-string>
Encryption key to use with a TACACS+ server, specified using a base64-encoded aes-256 encrypted string.
tacacs-server timeout <1-255>
Changes the wait period for a TACACS server response. (Default: 5 seconds.)
Encryption keys configured in the switch must exactly match the encryption keys configured in TACACS+ servers the switch attempts to use for authentication.
If you configure a global encryption key, the switch uses it only with servers for which you have not configured a server-specific key. Thus, a global key is more useful where the TACACS+ servers you are using all have an identical key, and server-specific keys are necessary where different TACACS+ servers have different keys.
If TACACS+ server “X” does not have an encryption key assigned for the switch, then configuring either a global encryption key or a server-specific key in the switch for server “X” blocks authentication support from server “X”.