3.112.1. Key Previous topic Parent topic Child topic Next topic

This parameter specifies the default shared secret to be used to decrypt Tacacs+ messages. When a new connection from a Tacacs+ client is received, Server TACACSPLUS tries to find a Key to use for decrypting that connection. It looks in the following places for a Key until it finds one that has been defined:
  • EncryptedTACACSPLUSKey parameter is preferred over TACACSPLUSKey parameter of a matching Client clause
  • EncryptedKey
  • This Key parameter
  • EncryptedSecret parameter is preferred over Secret parameter of a matching Client clause
The search for the matching Client clause is done in the following order (Caution: this is slightly different to the order for RADIUS clients):
  • Exact IP address match
  • DEFAULT clause
  • CIDR Address match
EncryptedTACACSPLUSKey and EncryptedSecret are currently experimental and will be documented later.
This search order means you can use the Secret parameter in Clients loaded by <ClientListSQL> to specify per-client Tacacs+ keys, provided you do not specify Key in the <Server TACACSPLUS> clause.
If all your Tacacs+ devices use the same key, use this Key parameter. If some or all of your Tacacs+ devices use different keys, define a Client and TACACSPLUSKey for each differing one and set this Key as the default for the rest. If some Tacacs+ clients are also RADIUS clients, define a Client clause for each one, specifying the RADIUS secret in Secret, and the Tacacs+ key in TACACSPLUSKey.
Key mysecret