Hackers Desk Reference

no enable use-tacacs

Caution If you use the enable use-tacacs command, you must also use the tacacs-server authenticate enable command, or you will be locked out of the privileged command level.

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 10.0.

When you add this command to the configuration file, the EXEC enable command prompts for a new username and password pair. This pair is then passed to the TACACS server for authentication. If you are using extended TACACS, it also passes any existing UNIX user identification code to the server.

Note This command initializes TACACS. Use the tacacs server-extended command to initialize extended TACACS, or use the aaa new-model command to initialize AAA/TACACS+.

Example

The following example sets TACACS verification on the privileged EXEC-level login sequence:

enable use-tacacs

tacacs-server authenticate enable

Related Command

A dagger (†) indicates that the command is documented outside this chapter.

tacacs-server authenticate enable †

[12.3.8] ip radius source-interface

Use the ip radius source-interface global configuration command to force RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets. Use the no form of this command to disable use of a specified interface IP address.

ip radius source-interface subinterface-name

no ip radius source-interface

Syntax Description

subinterface-name Name of the interface that RADIUS uses for all of its outgoing packets.

Default

This command has no factory-assigned default.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

Use this command to set a subinterface's IP address to be used as the source address for all outgoing RADIUS packets. This address is used as long as the interface is in the up state. In this way, the RADIUS server can use one IP address entry for every network access client instead of maintaining a list of IP addresses.

This command is especially useful in cases where the router has many interfaces, and you want to ensure that all RADIUS packets from a particular router have the same IP address.

The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, then RADIUS reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.

Example

The following example makes RADIUS use the IP address of subinterface s2 for all outgoing RADIUS packets:

ip radius source-interface s2

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

ip tacacs source-interface †

ip telnet source-interface †

ip tftp source-interface †

[12.3.9] ip tacacs source-interface

Use the ip tacacs source-interface global configuration command to force TACACS to use the IP address of a specified interface for all outgoing TACACS packets. Use the no form of this command to disable use of a specified interface IP address.

ip tacacs source-interface subinterface-name

no ip tacacs source-interface

Syntax Description

subinterface-name Name of the interface that TACACS uses for all of its outgoing packets.

Default

This command has no factory-assigned default.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

Use this command to set a subinterface's IP address for all outgoing TACACS packets. This address is used as long as the interface is in the up state. In this way, the TACACS server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.

This command is especially useful in cases where the router has many interfaces, and you want to ensure that all TACACS packets from a particular router have the same IP address.

The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.

Example

The following example makes TACACS use the IP address of subinterface s2 for all outgoing TACACS (TACACS, extended TACACS, or TACACS+) packets:

ip tacacs source-interface s2

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

ip radius source-interface †

ip telnet source-interface †

ip tftp source-interface †

[12.4.0] kerberos clients mandatory

Use the kerberos clients mandatory global configuration command to cause the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server. Use the no form of this command to disable this option.

kerberos clients mandatory

no kerberos clients mandatory

Syntax Desctiption

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

User Guidelines

This command first appeared in Cisco IOS Release 11.2.

If this command is not configured and the user has Kerberos credentials stored locally, the rsh, rcp, rlogin, and telnet commands attempt to negotiate the Kerberos protocol with the remote server and will use the un-Kerberized protocols if unsuccessful.

If this command is not configured and the user has no Kerberos credentials, the standard protocols for rcp and rsh are used to negotiate the Keberos protocol.

Example

The following example illustrates the kerberos clients mandatory command:

kerberos clients mandatory

Related Commands

A dagger (†) indicates that this command is documented outside this chapter.

copy rcp †

kerberos credentials forward

rlogin †

rsh †

telnet †

[12.4.1] kerberos credentials forward

Use the kerberos credentials forward global configuration command to force all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication. Use the no form of this command to turn off Kerberos credentials forwarding.

kerberos credentials forward

no kerberos credentials forward

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Enable credentials forwarding to have users' TGTs forwarded to the host they authenticate to. In this way, users can connect to multiple hosts in the Kerberos realm without running the KINIT program each time they need to get a TGT.

Example

The following example illustrates the kerberos credentials forward command:

kerberos credentials forward

Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

copy rcp †

rlogin †

rsh †

telnet †

[12.4.2] kerberos instance map

Use the kerberos instance map global configuration command to map Kerberos instances to Cisco IOS privilege levels. Use the no form of this command to remove a Kerberos instance map.

kerberos instance map instance privilege-level

no kerberos instance map instance

Syntax Description

principle contains the matching Kerberos instance. You can specify up to 16 privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges.

Default

Privilege level 1

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

Use this command to create user instances with access to administrative commands.

Example

In the following example, the privilege level is set to 15 for authenticated Kerberos users with the admin instance in Kerberos realm cisco.com:

kerberos instance map admin 15

Related Command

aaa authorization

[12.4.3] kerberos local-realm

Use the kerberos local-realm global configuration command to specify the Kerberos realm in which the router is located. Use the no form of this command to remove the specified Kerberos realm from this router.

kerberos local-realm kerberos-realm

no kerberos local-realm

Syntax Description

kerberos-realm The name of the default Kerberos realm. A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase letters.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.1.

The router can be located in more than one realm at a time. However, there can only be one instance of Kerberos local-realm. The realm specified with this command is the default realm.

Example

The following example illustrates the kerberos local realm command:

kerberos local-realm MURUGA.COM

Related Commands

kerberos preauth

kerberos realm

kerberos server

kerberos srvtab entry

kerberos srvtab remote

[12.4.4] kerberos preauth

Use the kerberos preauth global configuration command to specify a preauthentication method to use to communicate with the KDC. Use the no form of this command to disable Kerberos preauthentication.

kerberos preauth [encrypted-unix-timestamp | none]

no kerberos preauth

Syntax Description

encrypted-unix-timestamp Use an encrypted UNIX timestamp as a quick authentication method when communicating with the KDC.

none Do not use Kerberos preauthentication.

Default

Disabled

Command Mode

Global Configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2.

It is more secure to use a preauthentication for communications with the KDC. However, communication with the KDC will fail if the KDC does not support this particular version of kerberos preauth. If that happens, turn off the preauthentication with the none option.

The no form of this command is equivalent to using then none keyword.

Example

The following example illustrates how to enable and disable Kerberos preauthentication:

kerberos preauth encrypted-unix-timestamp

kerberos preauth none

Related Commands

kerberos local-realm

kerberos server

kerberos srvtab entry

kerberos srvtab remote

[12.4.5] kerberos realm

Use the kerberos realm global configuration command to map a host name or Domain Naming System (DNS) domain to a Kerberos realm. Use the no form of this command to remove a Kerberos realm map.

kerberos realm {dns-domain | host} kerberos-realm

no kerberos realm {dns-domain | host} kerberos-realm

Syntax Description

dns-domain Name of a DNS domain or host. host Name of a DNS host.