How to configure TACACS+ on Cisco Routers and Switches

TACACS+ provides better authentication, authorization and accounting, which provide flexible administrative control. In this lesson, we will learn how to configure TACACS+ on Cisco routers and switches.

I already published a post for IOS XR, you can check that from How to configure TACACS+ on Cisco IOS XR. Today i will show, how to configure on IOS enabled routers and switches. So, lets get started.

How to configure TACACS+ on Cisco Routers and Switches

First of all, we need to make sure we can reach Tacacs+ server using TCP 49 port.

Cisco-RTR#telnet 49
Trying, 49 ... Open

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms

TACACS+ on Cisco Routers and Switches

First of all, we will enable AAA service on the device by running below command-

aaa new-model

Then, we will define our tacacs server by below commands-

tacacs server OURTACACS
 address ipv4
 key cisco@123

Explanation: = Tacacs+ server IP
cisco@123 = Pre-shared key

aaa authentication login OURTACACS group tacacs+ local
aaa authentication enable default group tacacs+ enable

We are calling OURTACACS as our main authentication server. In addition to that, if it fails, we will go back to local credentials.

aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated

Command if-authenticated will help to revert back to local users if Tacacs+ server fails. So, if you use if-authenticated, any authentication methods (line, local, etc.) will allow for successful authorization.

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

You also need to make sure, you added OURTACACS as your authentication server for VTY.

line vty 0 4
  login authentication OURTACACS
  transport input telnet ssh


You need to run below command, where noc is the username and noc@12345 is the password.

Cisco-RTR#test aaa group tacacs+ noc noc@12345 legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

You can clearly see, our user login is successfully authenticated.

So, if you have any question or opinion related to this article, you are welcome to add your comment below. Thanks 🙂 .

Leave a Comment

Your email address will not be published. Required fields are marked *

4 thoughts on “How to configure TACACS+ on Cisco Routers and Switches”

  1. Thanks, i try this configure by shh access and have a problem in configuration, after “aaa authorization” commands i cant do anything and IOS show me this error “Command authorization failed.”

  2. Many thanks, Rajib, Your explanation save me from reading or learning and wasting time trying to understand it. Excellent approach mate!

Scroll to Top