In this lesson, we will learn to configure TACACS server for AAA authentication in Cisco IOS XR software. We will be using release 7.0.x for this tutorial. So, let’s get started.

Here important to note that, AAA is available by default as a part of the base software package in Cisco IOS-XR.

TACACS on Cisco IOS XR

Configure of TACACS+ on Cisco IOS XR

We are using out-of-band management using interface MgmtEth0/RSP0/CPU0/0 in our 9K box. So, very first command will be to declare management interface MgmtEth0/RSP0/CPU0/0 as a source interface with our management VRF.

RP/0/RSP0/CPU0:LetsConfig(config)#tacacs source-interface MgmtEth0/RSP0/CPU0/0 vrf MGMT

In the next section, we will add our tacacs server. Before adding it’s recommended to make sure we have reachability to TACACS server using 49 port (default tacacs port). If you are using any other port, then need to make sure it’s allowed on the network.

RP/0/RSP0/CPU0:LetsConfig(config)#aaa group server tacacs+ AAAlogin
RP/0/RSP0/CPU0:LetsConfig(config-sg-tacacs)#server-private 10.10.10.10 port 49
RP/0/RSP0/CPU0:LetsConfig(config-sg-tacacs)# vrf MGMT

Here, we are using “server-private” which allow to add seperate TACACS server for each VRF.

Now, we will tell our device to authenticate TACACS server first and then others. Here, if TACACS server fails, then it will allow local credentials.

RP/0/RSP0/CPU0:LetsConfig(config)#aaa authentication login default group AAAlogin local

We also can add authorization and accounting configuration just like below-

aaa authorization commands default group AAAlogin none
aaa accounting exec default start-stop group AAAlogin
aaa accounting system default start-stop group AAAlogin
aaa accounting commands default start-stop group AAAlogin

Next part will be to commit the configuration. However, if you made any mistake in the configuration, then you will loss your connection to the device. So, it’s always recommended to take advantage of “commit confirmed” command, which will force running configuration to rollback automatically after a certain time.

RP/0/RSP0/CPU0:LetsConfig(config)#commit confirmed minutes 5

Here we are using 5 minutes, which is enough to commit if everything works fine. Finally, commit the configuration using “commit” command.

RP/0/RSP0/CPU0:LetsConfig(config)#commit

You can use Cisco Configuration Guide as reference.

Written by Rajib Kumer Das

I am Rajib Kumer Das, a network engineer with 7+ years of experience in multi-vendor environment. In my current company, I am responsible to take care critical projects and it's support cases. I do have several vendor certificates and have plans to go further.

This article has 1 comments

Leave a Comment

Your email address will not be published. Required fields are marked *