Basic Cisco Tacacs+ Configuration With Free Tacacs+ Software for Windows - Part 1 - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Sunday, February 8, 2015

Basic Cisco Tacacs+ Configuration With Free Tacacs+ Software for Windows - Part 1

Both RADIUS and TACACS+ provides centralized validation of users attempting to gain access to a both protocols supported network devices, which provides Authentication, Authorization, and Accounting (AAA) services on network devices.

RADIUS stands for Remote Access Dial-In User Service, and TACACS+ stands for Terminal Access Controller Access Control Service Plus. The primary functional difference between RADIUS and TACACS+ is that TACACS+ separates out the Authorization functionality, where RADIUS combines both Authentication and Authorization. RADIUS was designed for subscriber AAA, and TACACS+ is designed for administrator AAA. RADIUS can still be used for small network administrator AAA, but only if authorization is not required, or if it is a homogeneous network (all one vendor). In any scenario where there is a heterogeneous environment or authorization policies are required for network devices, TACACS+ is the best option.

The following figure and table show their difference more instinctively:

This post and next one will show the basic Tacacs+ configuration steps on a cisco 2960 switch to work with Free Tacacs+ Software for Windows from

1. Software Installation and Verify Configuration

1.1 Download Software

Please download Version 1.3.2, which is from their website

1.2 Installation

Double click downloaded file and simply click next to follow the wizard to complete the installation.

After installation, service will automatically start. Localhost ( and RFC 1918 IP address ranges (,, are already added as clients by default. Any user in the Administrators group on the local machine will be authorized as the fallback method.

1.3 Configuration Tacacs+ server

The wizard will install the configuration and log files to different locations depending on your OS. Start Menu program group has a configuration shortcut to point to the configuration folder. In my case, all configuration files was installed at this directory: C:\ProgramData\\config

Check tacplus.xml to make sure server ip is not

You do not need to restart/reload the server when you modify the configuration files. The server
monitors for changes to the configuration files and reloads them automatically.

1.4 Verify Tacacs service

telnet 49
tactest -s -u test1 -p test1
(test1 is the local administrator account in my Tacacs windows server)

2. Configure Cisco Switch to Use Tacacs server

Router(config)# aaa new-model
Router(config)# tacacs-server host key mysharedsecret
Router(config)# aaa authentication login default group tacacs+ local
Router(config)# aaa authorization exec default group tacacs+ local
Router(config)# line console 0
Router(config-line)# login authentication default
Router(config)# line vty 0 15
Router(config-line)# login authentication default
Based on above configuration steps 1 and step 2, the switch will be authenticated with Tacacs server's account in the local administrators group.


Fallback group includes all local administrators on the server. It should be commented out before it is deployed in production.


No comments:

Post a Comment