TACACS+ Explained with Examples

TACACS+ stands for Terminal Access Controller Access Control System. It is a Cisco proprietary AAA protocol. It separates each of the AAA functions. It uses TCP port 49 for communication. It encrypts all communications.

TACACS+ works in a client/server architecture. A client is a Cisco device that supports authentication. A server is a system that saves authentication details for clients. When a user sends his login information to the client, the client does not authenticate the user itself. It forwards that login detail to the TACACS server. The TACACS server allows or denies the login access.

TACACS configuration (Packet Tracer Example)

Create a Packet Tracer lab and assign IP configurations as shown in the following image.

lab with ip

Download the pre-configured practice lab.

TACACS Server configuration

Click Server0, click Services, click AAA, and enable the service.

enable tacacs service

After enabling the TACACS service, we create a database of client devices, including associated user accounts. The Network Configuration section adds client accounts. The User Setup section adds user accounts.

In this lab, we have two routers: R1 and R2. We will use R1 as the client device and R2 as an end device for testing.

The Network Configuration requires the following information.

Field Name Description Value
Client Name Name of the client device R1
Client IP IP address of the client device 192.168.1.1
Secret Password to authentication client device Cisco (You can pick any password of your choice)
ServerType AAA supports two services: RADIUS and TACACS. TACACS

network configuration add client device

After filling values in all fields, click Add to add an entry for R1.

network config add

Add user accounts for R1. You can pick any names and passwords of your choice.

user info

Click Add to add the user account.

user info add

The TACACS server uses this database to authenticate client devices and their users.

user info added

TACACS client configuration

Access the CLI prompt of R1 and run the following commands.

Router>enable
Router#configure terminal
Router(config)#hostname R1
R1(config)#aaa new-model
R1(config)#username admin secret pass
R1(config)#tacacs host 192.168.1.3 key Cisco
R1(config)#aaa authentication login default group tacacs
R1(config)#aaa authentication login default group tacacs local
R1(config)#aaa authentication enable default group tacacs
R1(config)#aaa authentication enable default group tacacs local
R1(config)#ip domain-name cisco.com
R1(config)#ip ssh version 2
R1(config)#crypto key generate rsa
R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#login authentication default
R1(config-line)#

Let us understand the above commands in detail. We used the following commands to set the hostname to R1 and enter Global configuration mode.

Router>enable
Router#configure terminal
Router(config)#hostname R1

The following command immediately applies local authentication to all lines and interfaces except line console 0. The line console 0 allows you to access the router in case you haven't set up a local user account.

R1(config)#aaa new-model

The following command configures a local username (admin) and password (pass).

R1(config)#username admin secret pass

The following command configures the TACACS server. It needs two parameters: the IP address of the TACACS server and the password you used in the secret field when adding an entry for it on the TACACS server.

R1(config)#tacacs host 192.168.1.3 key Cisco

Routers and switches support two levels of authentication. On the first level, it uses the login authentication. Login authentication allows you to connect to the device. On the second level, it uses the enable authentication. Enable authentication allows you to execute commands on the router.

The following command configures the router to use the TACACS server for the login authentication.

R1(config)#aaa authentication login default group tacacs

The following command configures the router to use the local username and password for the login authentication if the TACACS server is not accessible.

R1(config)#aaa authentication login default group tacacs local

The following command configures the router to use the TACACS server for the enable authentication.

R1(config)#aaa authentication enable default group tacacs

The following command configures the router to use the local username and password for the enable authentication if the TACACS server is not accessible.

R1(config)#aaa authentication enable default group tacacs local

We have configured the router to use the TACACS server and local login for authentication. Now, we need to configure a remote management protocol. SSH is the default remote management protocol on all Cisco devices.

The following commands enable and configure SSH. You can choose any domain name of your choice. SSH uses RSA keys. RSA keys need a domain name.

R1(config)#ip domain-name cisco.com
R1(config)#ip ssh version 2
R1(config)#crypto key generate rsa

A router accepts remote connections on VTY lines. By default, all VTY lines are disabled. The following command enables all VTY lines and configures them to use the authentication in the default order. In the default order, it first tries the TACACS server. If the TACACS server is down, it uses the local database as a backup.

R1(config)#line vty 0 4
R1(config-line)#transport input ssh
R1(config-line)#login authentication default
R1(config-line)#

The following image shows the above configuration on R1.

router configuration

Download the configured practice lab.

Testing the TACACS server

To test the TACACS server configuration, open an SSH connection from R1 to R2. Use the user account that you configured on the TACACS server.

testing tacacs

As we can see in the above image, the connection opened successfully. It verifies that R1 used the TACACS server for authentication.

If the TACACS server is up, R1 will not use the local database. To verify it, close the opened SSH connection and open a new connection. This time use the username and password you configured on R1 for login. R1 will not allow the local login until the TACACS server is up.

Turn off the switch port connected to the TACACS server.

turn off the switch port

R1 has lost connectivity with the TACACS server. Now try to log in again from R2 using the username and password you configured on R1.

tacacs testing

As the above image shows, R1 accepted the connection this time. It verifies if the TACACS server is not accessible, R1 will use the local database for authentication.

Conclusion

TACACS is a remote authentication service. It allows us to authenticate users from a single location. It is a Cisco propriety service. It works in client/server architecture. It uses TCP to exchange information between clients and the server. It encrypts all information between the client and server.

ComputerNetworkingNotes CCNA Study Guide TACACS+ Explained with Examples