Table Of Contents

TACACS+ Commands

aaa group server tacacs

ip tacacs source-interface

server (TACACS+)

show tacacs

tacacs-server directed-request

tacacs-server host

tacacs-server key

TACACS+ Commands

---

This chapter describes the commands used to configure TACACS+. TACACS+ provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled only through AAA commands.

---

Note Refer to the "Authentication Commands" chapter, the "Authorization Commands" chapter, and the "Accounting Commands" chapter for information about commands specific to AAA.

---

For information on how to configure TACACS+, refer to the "Configuring TACACS+" chapter in the Cisco IOS Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the "TACACS+ Configuration Examples" section located at the end of the "Configuring TACACS+" chapter in the Cisco IOS Security Configuration Guide.

---

Note TACACS and Extended TACACS commands are included in Cisco IOS Release 12.1 software for backward compatibility with earlier Cisco IOS releases; however, these commands are no longer supported and are not documented for this release.

---

Cisco recommends using only the TACACS+ security protocol with Cisco IOS Release 12.1 software. For a description of TACACS and Extended TACACS commands, refer to the "TACACS, Extended TACACS, and TACACS+ Commands" chapter in Cisco IOS Release 12.0 Security Command Reference at Cisco Connection Online (CCO).

Table 13 identifies Cisco IOS software commands available to the different versions of TACACS. Although TACACS+ is enabled through AAA and uses commands specific to AAA, there are some commands that are common to TACACS, Extended TACACS, and TACACS+. TACACS and Extended TACACS commands that are not common to TACACS+ are not documented in this release.

Table 13 TACACS Command Comparison 

Cisco IOS Command	TACACS	Extended TACACS	TACACS+
aaa accounting1	-	-	Yes
aaa authentication arap1	-	-	Yes
aaa authentication enable default1	-	-	Yes
aaa authentication login1	-	-	Yes
aaa authentication ppp1	-	-	Yes
aaa authorization1	-	-	Yes
aaa group server tacacs+			Yes
aaa new-model1	-	-	Yes
arap authentication1	-	-	Yes
arap use-tacacs	Yes	Yes	-
enable last-resort	Yes	Yes	-
enable use-tacacs	Yes	Yes	-
ip tacacs source-interface	Yes	Yes	Yes
login authentication1	-	-	Yes
login tacacs	Yes	Yes	-
ppp authentication1	Yes	Yes	Yes
ppp use-tacacs1	Yes	Yes	No
server	-	-	Yes
tacacs-server attempts	Yes	-	-
tacacs-server authenticate	Yes	Yes	-
tacacs-server directed-request	Yes	Yes	Yes
tacacs-server extended	-	Yes	-
tacacs-server host	Yes	Yes	Yes
tacacs-server key	-	-	Yes
tacacs-server last-resort	Yes	Yes	-
tacacs-server notify	Yes	Yes	-
tacacs-server optional-passwords	Yes	Yes	-
tacacs-server retransmit	Yes	Yes	-
tacacs-server timeout	Yes	Yes	Yes

1 These commands are documented in separate chapters. Refer to the appropriate authentication, authorization, or accounting section of the Cisco IOS Security Command Reference or use the index to locate a command.

aaa group server tacacs

To group different server hosts into distinct lists and distinct methods, use the aaa group server command in global configuration mode. To remove a server group from the configuration list, enter the no form of this command.

aaa group server tacacs+ group-name

no aaa group server tacacs+ group-name

Syntax Description

tacacs+	Use only the TACACS+ server hosts.
group-name	Character string used to name the group of servers.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
12.0(5)T	This command was introduced.

Usage Guidelines

The AAA server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service.

A server group is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A server group is used in conjunction with a global server host list. The server group lists the IP addresses of the selected server hosts.

Examples

The following example shows the configuration of an AAA group server named tacgroup1 that comprises three member servers:

aaa group server tacacs+ tacgroup1

server 1.1.1.1 

server 2.2.2.2 

server 3.3.3.3 

Related Commands

Command	Description
aaa accounting	Enables AAA accounting of requested services for billing or security.
aaa authentication login	Enables AAA accounting of requested services for billing or security purposes.
aaa authorization	Sets parameters that restrict network access to a user.
aaa new-model	Enables the AAA access control model.
tacacs-server host	Specifies a TACACS+ host.

ip tacacs source-interface

To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration mode. Use the no form of this command to disable use of the specified interface IP address.

ip tacacs source-interface subinterface-name

no ip tacacs source-interface

Syntax Description

subinterface-name

Name of the interface that TACACS+ uses for all of its outgoing packets.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

Use this command to set a subinterface's IP address for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.

This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address.

The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.

Examples

The following example makes TACACS+ use the IP address of subinterface s2 for all outgoing TACACS+ packets:

ip tacacs source-interface s2

Related Commands

Command	Description
ip radius source-interface	Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.
ip telnet source-interface	Allows a user to select an address of an interface as the source address for Telnet connections.
ip tftp source-interface	Allows a user to select the interface whose address will be used as the source address for TFTP connections.

server (TACACS+)

To configure the IP address of the TACACS+ server for the group server, use the server command in group server configuration mode. To remove the IP address of the RADIUS server, enter the no form of this command.

server ip-address

no server ip-address

Syntax Description

ip-address

IP address of the selected server.

Defaults

No default behavior or values.

Command Modes

TACACS+ group server configuration

Command History

Release	Modification
12.0(5)T	This command was introduced.

Usage Guidelines

Enter the server command to specify the IP address of the TACACS+ server. Also configure a matching tacacs-server host entry in the global list. If there is no response from the first host entry, the next host entry is tried.

Examples

The following example shows server host entries configured for the RADIUS server:

aaa new-model

aaa authentication ppp default group g1

aaa group server tacacs+ g1

server 1.0.0.1

server 2.0.0.1

tacacs-server host 1.0.0.1 

tacacs-server host 2.0.0.1 

Related Commands

Command	Description
aaa new-model	Enables the AAA access control model.
aaa server group	Groups different server hosts into distinct lists and distinct methods.
tacacs-server host	Specifies a RADIUS server host.

show tacacs

To display statistics for a TACACS+ server, use the show tacacs command in EXEC configuration mode.

show tacacs

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

EXEC

Command History

Release	Modification
11.2	This command was introduced.

Examples

The following example is sample output for the show tacacs command:

Router# show tacacs 

Tacacs+ Server            : 172.19.192.80/49

              Socket opens:          3

             Socket closes:          3

             Socket aborts:          0

             Socket errors:          0

           Socket Timeouts:          0

   Failed Connect Attempts:          0

        Total Packets Sent:          7

        Total Packets Recv:          7

          Expected Replies:          0

  No current connection

Table 14 describes the significant fields shown in the display.

Table 14 show tacacs Field Descriptions 

Field	Description
Tacacs+ Server	IP address of the TACACS+ server.
Socket opens	Number of successful TCP socket connections to the TACACS+ server.
Socket closes	Number of successfully closed TCP socket attempts.
Socket aborts	Number of premature TCP socket closures to the TACACS+ server; that is, the peer did not wait for a reply from the server after a the peer sent its request.
Socket errors	Any other socket read or write errors, such as incorrect packet format and length.
Failed Connect Attempts	Number of failed TCP socket connections to the TACACS+ server.
Total Packets Sent	Number of packets sent to the TACACS+ server.
Total Packets Recv	Number of packets received from the TACACS+ server.
Expected replies	Number of outstanding replies from the TACACS+ server.

Related Commands

Command	Description
tacacs-server host	Specifies a TACACS+ host.

tacacs-server directed-request

To send only a username to a specified server when a direct request is issued, use the tacacs-server directed-request global configuration command. Use the no form of this command to send the entire string to the TACACS+ server.

tacacs-server directed-request [ restricted ] [ no-truncate ]

no tacacs-server directed-request

Syntax Description

restricted	(Optional) Restrict queries to directed request servers only.
no-truncate	(Optional) Do not truncate the @hostname from the username.

Defaults

Enabled

Command Modes

Global configuration

Command History

Release	Modification
11.1	This command was introduced.

Usage Guidelines

This command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with the directed-request feature enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server.

Disabling tacacs-server directed-request causes the whole string, both before and after the "@" symbol, to be sent to the default TACACS+ server. When the directed-request feature is disabled, the router queries the list of servers, starting with the first one in the list, sending the whole string, and accepting the first response that it gets from the server. The tacacs-server directed-request command is useful for sites that have developed their own TACACS+ server software that parses the whole string and makes decisions based on it.

With tacacs-server directed-request enabled, only configured TACACS+ servers can be specified by the user after the "@" symbol. If the host name specified by the user does not match the IP address of a TACACS+ server configured by the administrator, the user input is rejected.

Use no tacacs-server directed-request to disable the ability of the user to choose between configured TACACS+ servers and to cause the entire string to be passed to the default server.

Examples

The following example disables tacacs-server directed-request so that the entire user input is passed to the default TACACS+ server:

no tacacs-server directed-request

tacacs-server host

To specify a TACACS+ host, use the tacacs-server host command in global configuration mode. Use the no form of this command to delete the specified name or address.

tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]

no tacacs-server host hostname

Syntax Description

hostname	Name or IP address of the host.
single-connection	(Optional) Specify that the router maintain a single open connection for confirmation from a AAA/TACACS+ server (CiscoSecure Release 1.0.1 or later). This command contains no autodetect and fails if the specified host is not running a CiscoSecure daemon.
port	(Optional) Specify a server port number. This option overrides the default, which is port 49.
integer	(Optional) Port number of the server. Valid port numbers range from 1 to 65535.
timeout	(Optional) Specify a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.
integer	(Optional) Integer value, in seconds, of the timeout interval.
key	(Optional) Specify an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only.
string	(Optional) Character string specifying authentication and encryption key.

Defaults

No TACACS+ host is specified.

Command Modes

Global configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

You can use multiple tacacs-server host commands to specify additional hosts. The Cisco IOS software searches for hosts in the order in which you specify them. Use the single-connection, port, timeout, and key options only when running a AAA/TACACS+ server.

Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by uniquely configuring individual routers.

Examples

The following example specifies a TACACS+ host named Sea_Change:

tacacs-server host Sea_Change

The following example specifies that, for AAA confirmation, the router consults the TACACS+ server host named Sea_Cure on port number 51. The timeout value for requests on this connection is three seconds; the encryption key is a_secret.

tacacs-server host Sea_Cure single-connection port 51 timeout 3 key a_secret

Related Commands

Command	Description
ppp	Starts an asynchronous connection using PPP.
slip	Starts a serial connection to a remote host using SLIP.
tacacs-server key	Sets the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon.

tacacs-server key

To set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. Use the no form of this command to disable the key.

tacacs-server key key

no tacacs-server key [key]

Syntax Description

key	Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
11.1	This command was introduced.

Usage Guidelines

After enabling AAA with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command.

The key entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and at the end of the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

Examples

The following example sets the authentication and encryption key to "dare to go":

tacacs-server key dare to go

Related Commands

Command	Description
aaa new-model	Enables the AAA access control model.
tacacs-server host	Specifies a TACACS+ host.