Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring TACACS+

    Terminal Access Controller Access Control System (TACACS) is a security protocol that provides centralized validation of users who are attempting to gain access to a router or NAS. TACACS+, a more recent version of the original TACACS protocol, provides separate authentication, authorization, and accounting (AAA) services. This topic includes the following tasks:

    1. Configuring TACACS+ Support
    2. Configuring Authentication
    3. Configuring Accounting

    Configuring TACACS+ Support

    Before you begin to configure TACACS+, you must determine the following for the TACACS+ authentication and accounting servers:

    • IP addresses
    • TCP port numbers
    • Secret keys

    To use TACACS+, you must enable AAA. To configure your router to support TACACS+, perform the following tasks. Some of the tasks are optional. Once you configure TACACS+ support on the router, you can configure TACACS+ authentication, authorization, and accounting independent of each other.

    You can configure the TACACs+ server only on default virtual routers. If you attempt to configure TACACS+ server settings on VRs other than the default VR or in a VRF, an error message is displayed.

    1. Specify the names of the IP host or hosts maintaining a TACACS+ server. Optionally, you can specify other parameters, such as port number, timeout interval, and key.
      host1(config)#tacacs-server host 192.168.1.27 port 10 timeout 3 key your_secret primary
    2. (Optional) Set the authentication and encryption key value shared by all TACACS+ servers that do not have a server-specific key set up by the tacacs-server host command.
      host1(config)#tacacs-server key “ &#889P^”
    3. (Optional) Set alternative source addresses to be used for TACACS+ server communications.
      host1(config)#tacacs-server source-address 192.168.134.63
    4. (Optional) Set the timeout value for all TACACS+ servers that do not have a server-specific timeout set up by the tacacs-server host command.
      host1(config)#tacacs-server timeout 15
    5. (Optional) Set the retry value for a TACACS+ client. The maximum retry attempt for a request is five. By default, the retry value is two.
      host1(config)#tacacs-server retransmit-retries 4

    Configuring Authentication

    Once TACACS+ support is enabled on the router, you can configure TACACS+ authentication. Perform the following steps:

    1. Specify AAA new model as the authentication method for the vty lines on your router.
      host1(config)#aaa new-model
    2. Specify AAA authentication by defining an authorization methods list.
      host1(config)#aaa authentication login tac tacacs+ radius enable
    3. Specify the privilege level by defining a methods list that uses TACACS+ for authentication.
      host1(config)#aaa authentication enable default tacacs+ radius enable
    4. Configure vty lines.
      host1(config)#line vty 0 4
    5. Apply an authentication list to the vty lines you specified on your router.
      host1(config-line)#login authentication tac

    Configuring Accounting

    Once TACACS+ support is enabled on the router, you can configure TACACS+ accounting. Perform the following steps:

    1. Specify AAA new model as the accounting method for your router.
      host1(config)#aaa new-model
    2. Enable TACACS+ accounting on the router, and configure accounting method lists. For example:
      host1(config)#aaa accounting exec default start-stop tacacs+ host1(config)#aaa accounting commands 0 listX stop-only tacacs+ host1(config)#aaa accounting commands 1 listX stop-only tacacs+ host1(config)#aaa accounting commands 13 listY stop-only tacacs+ host1(config)#aaa accounting commands 14 default stop-only tacacs+ host1(config)#aaa accounting commands 15 default stop-only tacacs+
    3. (Optional) Specify that accounting records are not generated for users without explicit user names.
      host1(config)#aaa accounting suppress null-username
    4. Apply accounting method lists to a console or lines. For example:
      host1(config)#line console 0 host1(config-line)#accounting commands 0 listX host1(config-line)#accounting commands 1 listX host1(config-line)#accounting commands 13 listY host1(config-line)#exit host1(config)#line vty 0 4 host1(config-line)#accounting commands 13 listY

    Note that Exec accounting and User Exec mode commands accounting for privilege levels 14 and 15 are now enabled for all lines and consoles with the creation of their default method list, as shown in Step 2.

    Published: 2014-08-20