120 Device SecurityExample #2: Set the NAS-IP Address for the RADIUS ServerThe NAS-IP address attribute identifies the IP Address of the network authentication server (NAS) thatis requesting authentication of the user. The address should be unique to the NAS within the scope ofthe RADIUS server.The NAS-IP-Address is only used in Access-Request packets. Either the NAS-IP-Address or NAS-Identifier must be present in an Access-Request packet.NOTE: The feature is available in release 2.1 and later.The following command sets the NAS-IP address to 192.168.20.12. If you do not specify an IP address inthe command, the NAS-IP address uses the interface IP address that connects the switch to the RADIUSserver.console#configconsole(config)#radius-server attribute 4 192.168.20.12TACACS+TACACS+ (Terminal Access Controller Access Control System) provides access control for networkeddevices via one or more centralized servers. Similar to RADIUS, this protocol simplifies authenticationby making use of a single database that can be shared by many clients on a large network. TACACS+uses TCP to ensure reliable delivery and a shared key configured on the client and daemon server toencrypt all messages.After you configure TACACS+ as the authentication method for user login, the NAS (Network AccessServer) prompts for the user login credentials and requests services from the TACACS+ client. Theclient then uses the configured list of servers for authentication, and provides results back to the NAS.You can configure the TACACS+ server list with one or more hosts defined via their network IP address.You can also assign each a priority to determine the order in which the TACACS+ client will contactthem. TACACS+ contacts the server when a connection attempt fails or times out for a higher priorityserver.You can configure each server host with a specific connection type, port, timeout, and shared key, or youcan use global configuration for the key and timeout.Like RADIUS, the TACACS+ server can do the authentication itself, or redirect the request to anotherback-end device. All sensitive information is encrypted and the shared secret is never passed over thenetwork; it is used only to encrypt the data.TACACS+ Configuration ExampleThis example configures two TACACS+ servers at 10.10.10.10 and 11.11.11.11. Each server has a uniqueshared secret key. The server at 10.10.10.10 has a default priority of 0, the highest priority, while the otherserver has a priority of 2. The process creates a new authentication list, called tacacsList, which usesTACACS+ to authenticate, and uses local authentication as a backup method.