The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled only through AAA commands.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network access server are available.
TACACS+ can be enabled only through AAA commands.
TACACS+ is a security application that provides centralized validation of users attempting to gain access to a device or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation.
TACACS+ provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service--authentication, authorization, and accounting--independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.
The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service. The Cisco family of access servers and devices and the Cisco IOS user interface (for both devices and access servers) can be network access servers.
Network access points enable traditional “dumb” terminals, terminal emulators, workstations, personal computers (PCs), and devices in conjunction with suitable adapters (for example, modems or ISDN adapters) to communicate using protocols such as Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), Compressed SLIP (CSLIP), or AppleTalk Remote Access (ARA) protocol. In other words, a network access server provides connections to a single user, to a network or subnetwork, and to interconnected networks. The entities connected to the network through a network access server are called network access clients; for example, a PC running PPP over a voice-grade circuit is a network access client. TACACS+, administered through the AAA security services, can provide the following services:
The authentication facility provides the ability to conduct an arbitrary dialog with the user (for example, after a login and password are provided, to challenge a user with a number of questions, such as home address, mother’s maiden name, service type, and social security number). In addition, the TACACS+ authentication service supports sending messages to user screens. For example, a message could notify users that their passwords must be changed because of the company’s password aging policy.
The TACACS+ protocol provides authentication between the network access server and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between a network access server and a TACACS+ daemon are encrypted.
You need a system running TACACS+ daemon software to use the TACACS+ functionality on your network access server.
Cisco makes the TACACS+ protocol specification available as a draft RFC for those customers interested in developing their own TACACS+ software.
When a user attempts a simple ASCII login by authenticating to a network access server using TACACS+, the following process typically occurs:
Note | TACACS+ allows an arbitrary conversation to be held between the daemon and the user until the daemon receives enough information to authenticate the user. This is usually done by prompting for a username and password combination, but may include other items, such as mother’s maiden name, all under the control of the TACACS+ daemon. |
Following authentication, the user will also be required to undergo an additional authorization phase, if authorization has been enabled on the network access server. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization.
The network access server implements TACACS+ authorization and accounting functions by transmitting and receiving TACACS+ attribute-value (AV) pairs for each user session. For a list of supported TACACS+ AV pairs, refer to the appendix “TACACS+ Attribute-Value Pairs.”
To configure your router to support TACACS+, you must perform the following tasks:
The tacacs-server host command enables you to specify the names of the IP host or hosts maintaining a TACACS+ server. Because the TACACS+ software searches for the hosts in the order specified, this feature can be useful for setting up a list of preferred daemons.
Note | The tacacs-server host command will be deprecated soon. You can use the server command instead of the tacacs-server host command. |
To specify a TACACS+ host, use the following command in global configuration mode:
Command |
Purpose |
---|---|
Router(config)# tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string] |
Specifies a TACACS+ host. |
Using the tacacs-server host command, you can also configure the following options:
Note | The daemon must support single-connection mode for this to be effective, otherwise the connection between the network access server and the daemon will lock up or you will receive spurious errors. |
Note | Specifying the timeout value with the tacacs-server host command overrides the default timeout value set with the tacacs-server timeout command for this server only. |
Note | Specifying the encryption key with the tacacs-server host command overrides the default key set by the global configuration tacacs-server key command for this server only. |
Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by uniquely configuring individual TACACS+ connections.
To set the global TACACS+ authentication key and encryption key used to encrypt all exchanges between the network access server and the TACACS+ daemon, use the following command in global configuration mode:
Command |
Purpose |
---|---|
Router(config)# tacacs-server key key |
Sets the encryption key to match that used on the TACACS+ daemon. |
Note | The same key must be configured on the TACACS+ daemon for encryption to be successful. |
Configuring the router to use AAA server groups provides a way to group existing server hosts. This allows you to select a subset of the configured server hosts and use them for a particular service. A server group is used in conjunction with a global server-host list. The server group lists the IP addresses of the selected server hosts.
Server groups can include multiple host entries as long as each entry has a unique IP address. If two different host entries in the server group are configured for the same service--for example, accounting--the second host entry configured acts as fail-over backup to the first one. Using this example, if the first host entry fails to provide accounting services, the network access server will try the second host entry for accounting services. (The TACACS+ host entries will be tried in the order in which they are configured.)
To define a server host with a server group name, enter the following commands starting in global configuration mode. The listed server must exist in global configuration mode:
1. Router(config)# tacacs-server hostname [single-connection] [port integer] [timeout integer] [key string]
2. Router(config-if)# aaa group server{radius | tacacs+} group-name
3. Router(config-sg)# server ip-address [auth-port port-number] [acct-port port-number]
Cisco software allows you to authenticate users to a particular AAA server group based on the Dialed Number Identification Service (DNIS) number of the session. Any phone line (a regular home phone or a commercial T1/PRI line) can be associated with several phone numbers. The DNIS number identifies the number that was called to reach you.
For example, suppose you want to share the same phone number with several customers, but you want to know which customer is calling before you pick up the phone. You can customize how you answer the phone because DNIS allows you to know which customer is calling when you answer.
Cisco devices with either ISDN or internal modems can receive the DNIS number. This functionality allows users to assign different TACACS+ server groups for different customers (that is, different TACACS+ servers for different DNIS numbers). Additionally, using server groups you can specify the same server group for AAA services or a separate server group for each AAA service.
Cisco IOS software provides the flexibility to implement authentication and accounting services in several ways:
Because AAA configuration methods can be configured simultaneously, Cisco has established an order of precedence to determine which server or groups of servers provide AAA services. The order of precedence is as follows:
Note | Prior to configuring AAA Server Group Selection Based on DNIS, you must configure the remote security servers associated with each AAA server group. See Identifying the TACACS Server Host and Configuring AAA Server Groups for more information. |
To configure the router to select a particular AAA server group based on the DNIS of the server group, configure DNIS mapping. To map a server group with a group name with DNIS number, use the following commands in global configuration mode:
1. Router(config)# aaa dnis map enable
2. Router(config)# aaa dnis map dnis-number authentication ppp group server-group-name
3. Router(config)# aaa dnis map dnis-number accounting network [none | start-stop | stop-only] group server-group-name
Command or Action | Purpose | |
---|---|---|
Step 1 | Router(config)# aaa dnis map enable |
Enables DNIS mapping. |
Step 2 | Router(config)# aaa dnis map dnis-number authentication ppp group server-group-name |
Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for authentication. |
Step 3 | Router(config)# aaa dnis map dnis-number accounting network [none | start-stop | stop-only] group server-group-name |
Maps a DNIS number to a defined AAA server group; the servers in this server group are being used for accounting. |
After you have identified the TACACS+ daemon and defined an associated TACACS+ encryption key, you must define method lists for TACACS+ authentication. Because TACACS+ authentication is operated via AAA, you need to issue the aaa authentication command, specifying TACACS+ as the authentication method. See the Configuring Authentication feature module for more information.
AAA authorization enables you to set parameters that restrict a user’s access to the network. Authorization via TACACS+ may be applied to commands, network connections, and EXEC sessions. Because TACACS+ authorization is facilitated through AAA, you must issue the aaa authorization command, specifying TACACS+ as the authorization method. See the Configuring Authorization feature module for more information.
AAA accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming. Because TACACS+ accounting is facilitated through AAA, you must issue the aaa accounting command, specifying TACACS+ as the accounting method. See the Configuring Accounting feature module for more information.
The following example shows how to configure TACACS+ as the security protocol for PPP authentication:
aaa new-model aaa authentication ppp test group tacacs+ local tacacs-server host 10.1.2.3 tacacs-server key goaway interface serial 0 ppp authentication chap pap test
The lines in the preceding sample configuration are defined as follows:
The following example shows how to configure TACACS+ as the security protocol for PPP authentication, but instead of the “test” method list, the “default” method list is used.
aaa new-model aaa authentication ppp default if-needed group tacacs+ local tacacs-server host 10.1.2.3 tacacs-server key goaway interface serial 0 ppp authentication chap default
The lines in the preceding sample configuration are defined as follows:
The following example shows how to create the same authentication algorithm for PAP, but it calls the method list “MIS-access” instead of “default”:
aaa new-model aaa authentication pap MIS-access if-needed group tacacs+ local tacacs-server host 10.1.2.3 tacacs-server key goaway interface serial 0 ppp authentication pap MIS-access
The lines in the preceding sample configuration are defined as follows:
The following example shows the configuration for a TACACS+ daemon with an IP address of 10.2.3.4 and an encryption key of “apple”:
aaa new-model aaa authentication login default group tacacs+ local tacacs-server host 10.2.3.4 tacacs-server key apple
The lines in the preceding sample configuration are defined as follows:
The following example shows how to configure TACACS+ as the security protocol for PPP authentication using the default method list; it also shows how to configure network authorization via TACACS+:
aaa new-model aaa authentication ppp default if-needed group tacacs+ local aaa authorization network default group tacacs+ tacacs-server host 10.1.2.3 tacacs-server key goaway interface serial 0 ppp authentication chap default
The lines in the preceding sample configuration are defined as follows:
The following example shows how to configure TACACS+ as the security protocol for PPP authentication using the default method list; it also shows how to configure accounting via TACACS+:
aaa new-model aaa authentication ppp default if-needed group tacacs+ local aaa accounting network default stop-only group tacacs+ tacacs-server host 10.1.2.3 tacacs-server key goaway interface serial 0 ppp authentication chap default
The lines in the preceding sample configuration are defined as follows:
The following example shows how to create a server group with three different TACACS+ servers members:
aaa group server tacacs tacgroup1 server 172.16.1.1 server 172.16.1.21 server 172.16.1.31
The following example shows how to select TACAC+ server groups based on DNIS to provide specific AAA services:
! This command enables AAA. aaa new-model ! ! The following set of commands configures the TACACS+ servers that will be associated ! with one of the defined server groups. tacacs-server host 172.16.0.1 tacacs-server host 172.17.0.1 tacacs-server host 172.18.0.1 tacacs-server host 172.19.0.1 tacacs-server host 172.20.0.1 tacacs-server key abcdefg ! The following commands define the sg1 TACACS+ server group and associate servers ! with it. aaa group server tacacs sg1 server 172.16.0.1 server 172.17.0.1 ! The following commands define the sg2 TACACS+ server group and associate a server ! with it. aaa group server tacacs sg2 server 172.18.0.1 ! The following commands define the sg3 TACACS+ server group and associate a server ! with it. aaa group server tacacs sg3 server 172.19.0.1 ! The following commands define the default-group TACACS+ server group and associate ! a server with it. aaa group server tacacs default-group server 172.20.0.1 ! ! The next set of commands configures default-group tacacs server group parameters. aaa authentication ppp default group default-group aaa accounting network default start-stop group default-group ! ! The next set of commands enables DNIS mapping and maps DNIS numbers to the defined ! RADIUS server groups. In this configuration, all PPP connection requests using DNIS ! 7777 are sent to the sg1 server group. The accounting records for these connections ! (specifically, start-stop records) are handled by the sg2 server group. Calls with a ! DNIS of 8888 use server group sg3 for authentication and server group default-group ! for accounting. Calls with a DNIS of 9999 use server group default-group for ! authentication and server group sg3 for accounting records (stop records only). All ! other calls with DNIS other than the ones defined use the server group default-group ! for both authentication and stop-start accounting records. aaa dnis map enable aaa dnis map 7777 authentication ppp group sg1 aaa dnis map 7777 accounting network start-stop group sg2 aaa dnis map 8888 authentication ppp group sg3 aaa dnis map 9999 accounting network stop-only group sg3
The following example shows a sample configuration of the TACACS+ daemon. The precise syntax used by your TACACS+ daemon may be different from what is included in this example.
user = mci_customer1 { chap = cleartext “some chap password” service = ppp protocol = ip { inacl#1=”permit ip any any precedence immediate” inacl#2=”deny igrp 0.0.1.2 255.255.0.0 any” }
The following sections provide references related to the Configuring TACACS+ feature.
Related Topic |
Document Title |
---|---|
AAA |
Cisco IOS Security Guide: Securing User Services |
Standard |
Title |
---|---|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
-- |
MIB |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFC |
Title |
---|---|
No new or modified RFCs are supported by this feature. |
-- |
Description |
Link |
---|---|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feature Name |
Releases |
Feature Information |
---|---|---|
Configuring TACACS+ |
Cisco IOS 15.2(1)E |
TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled only through AAA commands. The following commands were introduced or modified: tacacs-server host, tacacs-server key, aaa authentication, aaa accounting, aaa group server tacacs+. |
AAA Server Groups Based on DNIS |
Cisco IOS 12.2(52)SG Cisco IOS 15.2(1)E |
The AAA Server Groups Based on DNIS feature allows you to authenticate users to a particular AAA server group based on the Dialed Number Identification Service (DNIS) number of the session. The following commands were introduced or modified: aaa dnis map enable, aaa dnis map authentication group, aaa dnis map accounting. |