dc tacacs-auth

Synopsis

netapi ise dc tacacs-auth [OPTIONS]

Description

Get TACACS+ device admin authentication events. Monitor who’s logging into your network devices (switches, routers, firewalls).

Options

Option Default Description

Option	Default	Description
`--hours`, `-h`	`24`	Hours to look back
`--limit`, `-l`	`50`	Maximum records to return
`--status`, `-s`	`all`	Filter: `all`, `passed`, `failed`
`--user`, `-u`	(none)	Filter by username

--hours, -h

24

Hours to look back

--limit, -l

50

Maximum records to return

--status, -s

all

Filter: all, passed, failed

--user, -u

(none)

Filter by username

Usage

# Last 24 hours (default)
netapi ise dc tacacs-auth

# Failed logins only
netapi ise dc tacacs-auth --status failed

# Filter by user
netapi ise dc tacacs-auth --user admin

# Last week
netapi ise dc tacacs-auth --hours 168

# Combine filters
netapi ise dc tacacs-auth --status failed --user admin --hours 48

Sample Output

TACACS Auth (last 24h)
──────────────────────────────────────────────────────────────────────────────
Time                 User      Status  Device       Device IP     Reason
──────────────────────────────────────────────────────────────────────────────
2026-01-23 10:43:21  admin     Pass    core-sw-01   10.50.1.10    -
2026-01-23 10:41:08  netadmin  Fail    edge-sw-02   10.50.1.11    Invalid password
2026-01-23 10:38:55  operator  Pass    wlc-01       10.50.1.40    -

3 passed | 1 failed | 4 total

Use Cases

Morning Security Check

# Failed logins overnight
netapi ise dc tacacs-auth --status failed --hours 12

Audit Specific Admin

# All logins by specific user
netapi ise dc tacacs-auth --user superadmin --hours 168