The Ultimate Guide to TACACS+ Server Implementation

A computer network consists of various routers, switches, and firewalls as the network becomes larger and larger. It is tough for an administrator to control access to the networking devices. Tacacs+ protocol can resolve this big issue. It centralizes all the login credentials in a single place. It simplifies our management work and secures our network. When a user wants to log into a networking device through GUI, telnet, or SSH via user credentials, then the device verifies the entered credentials from the tacacs+ server through an encrypted channel. And, the tacacs+ server verifies it through its local database, LDAP, or the radius server.

            Similarly, when the user runs any command on the device, does the tacacs+ server verify whether the user has the authority to run those specific commands or not?

            Moreover, tacacs+ has the responsibility to account for all the logs generated by the devices in the network, if any change has occurred!

Lab topology for Tacacs+ server

Lab topology for tacacs+

Assign IP address to a router.

assign IP to router

Also, assign an IP address to the AAA server and other PCs in the range of

assign IP to server

Enable the AAA (authentication authorization and accounting) on the Router through the following command. The first command enables the AAA, while the 2nd command is used to authenticate users through the tacacs+ server.

Enable AAA

Configure the line console and vty authentication on the Router. Moreover, configure the privilege password on the Router.

password and authentication

Similarly Also, configure the AAA server’s basic configuration such as the client name as R1, because our Router R1 will act as a client of the AAA server. The client IP, a key, and at last select tacacs+ in service type. Create two users admin and user1 in it.

tacacs+ setting

Specify the tacacs+ server to the Router R1. It means that Router R1 will authenticate its credentials from the AAA server (

point to tacacs+

Configure the AAA authorization on the router, which will specify authorization for the users.

authorization for users

Configure the user’s activity through the accounting process in the below command.

accounting for users

Now it’s the time to telnet a Router from any PC.

try to telnet router from pc1

If you want to check the debugging process of a router. Apply the debug AAA authentication command on the Router.

debugging on router

Suppose if AAA server goes down, then what will happen? In this case, we shut down the AAA server interface on the switch.

shutdown tacacs+ interface

Now go to the PC, and telnet to the router.

try to telnet router from PC1

The authentication failed because the Router didn’t find an AAA server to authenticate the user’s entered credentials. This is a problem because the Router doesn’t authenticate itself and it also doesn’t log in through the line console. To protect ourselves from such problems, it is necessary to configure local authentication. It means, that if the AAA server is not accessible, then authenticate the user’s credentials from its local database. Also create a user for this purpose, which will be stored only in its local database.

create new user user2 and with local tacacs+

Let’s try to access Router R1 through telnet from PC1.

telnet into router form PC1 through user2

Again enable the interface of a AAA server on the switch:

enable tacacs+ interface

Let’s check it again to telnet Router R1. We will check whether it authenticates itself from the AAA server or its local database. We will try both user2, which is locally created, and at last, we will also try to telnet through admin user, which is created in the AAA server.

try to telnet router through admin and user2

The screenshot demonstrates that user2 cannot successfully telnet into the router R1; due to which its attempt has failed. The user admin successfully telnet into the router. Why? Because user1 was created in the local database of a router, while user admin was created in the AAA server. As the AAA server is up, so router will check user2 in the AAA server not in its local database. It will look into its local database for the user2 if the AAA server is down. Similarly, we created an “admin” user in the AAA server, so it the router will look into the AAA server and so the user “admin” will be able to login to the router through telnet.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *