Configuring TACACS+ on Cisco Switches/Routers

There's a good chance this content may be outdated!

This post is 2 years old—a long time on the internet. Any content within is provided as-is and is not guaranteed to work on modern systems - your mileage may vary.


Adding security to your Cisco routers and switches is important. AAA (Authentication, Authorization, Accounting) in general is incredibly important, especially in corporate environments. I’ve recently moved to the AAA protocol of TACACS+ (“Tac Plus”) for our switches after a few unauthorized changes and not knowing who did what. To get TACACS+, there are a few methods you can take. First, you can go the commercial route. Cisco has a TACACS+ server as do some other vendors. Or you can go the free route. Free obviously lacks features like commercial support, however I found a great TACACS+ server that runs on Windows. I have a dedicated virtual machine that is my TFTP server for performing upgrades of software so I decided to make it my TACACS+ server as well. The software is It’s a great and well documented free piece of software built on .NET.

The logging of TACACS.NET is great. For example, here’s an accounting log. You can see the username (in this case, RANCID is running some backups as I had just added the TACACS+ commands to the config of switches), the date and time it was run and what commands were run.

2014-12-23_10-46-23The great thing about TACACS+ is that it uses Active Directory (since we are a Windows shop) to authenticate. The rancid user is just a service account in AD.

So to configure the switches (and routers) there are two methods. IOS 12.X has one method to configure the TACACS+ server:

tacacs-server host <ACS-SERVER> key 7 <KEY>

If you run this command on IOS 15.X, you'll receive a warning that this is depreciated and will be removed soon. The command you need to change to is:
 Switch(config)#tacacs server acs-server
 Switch(config-server-tacacs)#address ipv4
 Switch(config-server-tacacs)#key 0 <my-key unencrypted>
aaa group server tacacs+ TAC_PLUS
 server name acs-server-1
 server name acs-server-2

And then just add your typical TACACS+ commands:

aaa new-model
 aaa authentication login default group tacacs+ local
 aaa authentication enable default group tacacs+ enable
 aaa accounting commands 0 default start-stop group tacacs+
 aaa accounting commands 3 default start-stop group tacacs+
 aaa accounting commands 5 default start-stop group tacacs+
 aaa accounting commands 15 default start-stop group tacacs+
 aaa session-id common

Also, don’t forget to set your enable password and add a backup user in case the TACACS+ server is unreachable!

Leave a Reply

Your email address will not be published. Required fields are marked *