http://www.cisco.com/univercd/cc/td/doc/product/lan/28201900/1928v9x/ee_scg/2addlfet.htm#xtocid11624
Configuring TACACS+
You must configure a TACACS+ server before enabling TACACS+ on the Catalyst 1900 or Catalyst 2820 switch.
To configure TACACS+, perform these steps in privileged mode from the CLI:
Task Command
Step 1 Enable TACACS+ authentication for login.
login tacacs
Step 2 Enable TACACS+ authentication for enable.
enable use-tacacs
Step 3 Configure the action to be taken when TACACS+ servers cannot be reached.
tacacs-server last-resort [password | succeed]
Step 4 Configure the key used to encrypt packets.
tacacs-server key key
Step 5 Configure the IP address of the TACACS+ server.
tacacs-server host hostaddress
Step 6 Configure the number of login attempts allowed to the TACACS+ server (optional).
tacacs-server attempts integer
Step 7 Set the timeout interval in which the server must respond (optional).
tacacs-server timeout seconds
Supported CLI Commands
The following TACACS+ commands are fully documented in the Catalyst 1900 Series and Catalyst 2820 Series Command Reference (online only):
enable use-tacacs
login tacacs
show tacacs
tacacs-server attempts
tacacs-server directed-request
tacacs-server host
tacacs-server key
tacacs-server last-resort
tacacs-server timeout
TACACS+ Example
The following example enables TACACS+ login authentication, configures a TACACS+ server at address 192.20.22.7, sets the server key to "I am cool," sets the maximum allowable login attempts to 3, and sets the server timeout to 5 seconds.
switch(config)# login tacacs
switch(config)# tacacs-server host 192.20.22.7
switch(config)# tacacs-server key "I am cool"
switch(config)# tacacs-server attempts 3
switch(config)# tacacs-server timeout 5
TACACS+ Verification
To verify the TACACS+ configuration settings, use the show tacacs command. After entering the command, you see this display:
switch# show tacacs
Enable use-tacacs:Enabled
Login tacacs:Enabled
Tacacs-server last-resort:password
Tacacs-server hosts:192.20.27.7
Tacacs-server key:I am cool
Tacacs-server login attempts:3
Tacacs-server timeout:5 seconds
Tacacs-server directed-request:Disabled
Note The tacacs-server key setting displays only in privileged Exec mode.
cisco.com/univercd is always your friend (even for the old stuff)
Scott