How to add TACACS+ to your Cisco logins

Home > Blogs > Cisco > How to add TACACS+ to your Cisco logins

How to add TACACS+ to your Cisco logins

Like This Blog 0 Mark Jacob
Added by December 9, 2015

In the interest of fairness, since I recently blogged about RADIUS authentication, I thought it would be a good idea to talk about TACACS+ as well. You will find that the configuration steps are quite similar, but the resulting functionality with TACACS+ exceeds the capabilities offered by RADIUS. The objective of this blog is not to show all the features that TACACS+ provides, but just to give a few screenshots on basic TACACS+ authentication.

For instructor-led Cisco CCNA Certification training, see our course schedule.

My topology is shown in figure 1:

001-add-TACACS+to-Cisco-logins

Figure 1

Here the Cisco device fulfills the role of the client, while I have a Server 2003 box as the authenticating server. Yes I could have built a newer server than 2003, but just to have screen shots of basic authentication did not seem justification enough, since I already had this one.

Let’s see the config on the Cisco device which will cause it to forward authentication attempts:

002-config-add-TACACS+to-Cisco-logins

Figure 2

You will notice that much like the aaa authentication …radius command, I have added the keyword ‘local’ to the end of the command. This important step will allow an authorized user to access the device even if the authenticating server should be unreachable.

Figure 2 shows the minimum aaa commands required to make this function. Now for the tacacs-specific commands:

003-specific-commands-add-TACACS+to-Cisco-logins

Figure 3

Figure 3 shows that I have identified the source interface for the TACACS+ requests, and I have identified the destination and key for the requests as well. Figure 1 shows that the 10.5.1.100 address belongs to my authenticating server.

Now to test this. I will attempt to log in to the Cisco device from my Windows 7 client using a valid username/password combination and a reachable authenticating server:

004-Putty-Windows-7-add-TACACS+to-Cisco-logins

Figure 4

Voila! I have authenticated successfully using TACACS+. Another test that would assuage a network admin’s nerves regarding security is to test authentication with known bad credentials to verify failure. Let’s check:

005-Check-add-TACACS+to-Cisco-logins

Figure 5

Failed as expected. The last verification step I will show today is that of using what should be good credentials but the TACACS+ authenticator is unreachable. In that case, the device should fail back to the locally configured user database. Let’s verify this as well. I will disable the network card on my Server 2003 box to cause the TACACS+ requests to be ignored. Watch what happens:

006-Completed-add-TACACS+to-Cisco-logins

Figure 6

Figure 6 shows successful access to the device, but how do I know that the authenticating server did not provide this access? I ran debug tacacs authentication on my router. Let’s examine the output:

007-add-TACACS+to-Cisco-logins

Figure 7

Notice in figure 7 that the client attempted to contact the authenticating server, but the request timed out. Since I had a locally configured username and password that matched my attempt, access was granted.

As mentioned, there is far more that TACACS+ can do for you, right down to controlling a user’s experience by permitting or denying individual commands. That is far deeper than one needs to delve when seeking the CCNA R&S certification, but it never hurts to a least familiarize oneself with the overall concepts.

If you have questions or comments, please feel free to post them!

Until next time….

Mark Jacob
Cisco and CompTIA Network + Instructor – Interface Technical Training
Phoenix, AZ

Videos You May Like

Creating Users and Managing Passwords in Microsoft Office 365

0 645 3

In this Office 365 training video, instructor Spike Xavier demonstrates how to create users and manage passwords in Office 365.   For instructor-led Office 365 training classes, see our course schedulle: Spike Xavier SharePoint Instructor – Interface Technical Training Phoenix, AZ 20347: Enabling and Managing Office 365    

JavaScript for C# Developers – September 24, 2014

0 487 3

Is JavaScript worth taking the time to learn if I’m a server-side .NET developer? How much of C# carries over to JavaScript? In this recorded video from Dan Wahlin’s webinar on September 24,2014, Dan answers these questions and more while also discussing similarities between the languages, key differences, and the future of JavaScript (ES6). If … Continue reading JavaScript for C# Developers – September 24, 2014

Detailed Forensic Investigation of Malware Infections – April 21, 2015

4 608 5

How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015

Write a Comment

Share your thoughts...

Please fill out the comment form below to post a reply.