Remote AAA TACACS+ server configuration requirements
Have an IPv4/IPv6 address or fully qualified domain name (FQDN) that is visible to the switch.
Have a passkey (shared secret) that matches what is configured on the switch.
Provide username and password definitions for every switch user. Remote users do not require definition on the switch.
Use the
priv-lvl
TACACS+ attribute with the following values:1
: for users requiring the Operators role.15
: for users requiring the Administrators role.19
: for users requiring the Auditors role.Any other
priv-lvl
value results in the user being denied access.
Have any needed command authorization configured to control what commands (per user or user role) will be executable on the switch.
Consult your TACACS+ server documentation for installation and general configuration details.
If SSH public key authentication is used, the key information is stored locally on the switch, making username and password definition on the TACACS+ server unnecessary.