TACACS+ provides better authentication, authorization and accounting, which provide flexible administrative control. In this lesson, we will learn how to configure TACACS+ on Cisco routers and switches.
I already published a post for IOS XR, you can check that from How to configure TACACS+ on Cisco IOS XR. Today i will show, how to configure on IOS enabled routers and switches. So, lets get started.
First of all, we need to make sure we can reach Tacacs+ server using TCP 49 port.
Cisco-RTR#telnet 10.1.1.200 49 Trying 10.1.1.200, 49 ... Open Cisco-RTR#ping 10.1.1.200 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.200, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 2/2/3 ms Cisco-RTR#
TACACS+ on Cisco Routers and Switches
First of all, we will enable AAA service on the device by running below command-
Then, we will define our tacacs server by below commands-
tacacs server OURTACACS address ipv4 10.1.1.200 key cisco@123
10.1.1.200 = Tacacs+ server IP
cisco@123 = Pre-shared key
aaa authentication login OURTACACS group tacacs+ local aaa authentication enable default group tacacs+ enable
We are calling OURTACACS as our main authentication server. In addition to that, if it fails, we will go back to local credentials.
aaa authorization config-commands aaa authorization commands 0 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated
Command if-authenticated will help to revert back to local users if Tacacs+ server fails. So, if you use if-authenticated, any authentication methods (line, local, etc.) will allow for successful authorization.
aaa accounting exec default start-stop group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+
You also need to make sure, you added OURTACACS as your authentication server for VTY.
line vty 0 4 login authentication OURTACACS transport input telnet ssh
You need to run below command, where noc is the username and noc@12345 is the password.
Cisco-RTR#test aaa group tacacs+ noc noc@12345 legacy Attempting authentication test to server-group tacacs+ using tacacs+ User was successfully authenticated.
You can clearly see, our user login is successfully authenticated.
So, if you have any question or opinion related to this article, you are welcome to add your comment below. Thanks 🙂 .
2 thoughts on “How to configure TACACS+ on Cisco Routers and Switches”
Many thanks, Rajib, Your explanation save me from reading or learning and wasting time trying to understand it. Excellent approach mate!
You are welcome..