Configure and verify TACACS+ server groups

Updated: June 17, 2026

Want to summarize with AI?

Use this procedure to configure and verify TACACS+ server groups. Server groups let AAA method lists use selected external TACACS+ hosts for authentication, authorization, or accounting.

Use this task to complete the configuration and verification workflow for configure TACACS+ server groups.

Configuring NCS 1010 to use AAA server groups provides a way to group existing server hosts. This allows you to select a subset of the configured server hosts and use them for a particular service. A server group is used in conjunction with a global server-host list. The server group lists the IP addresses of the selected server hosts.

You can enter one or more server commands. The server command specifies the hostname or IP address of an external TACACS+ server. Once configured, this server group can be referenced from the AAA method lists (used while configuring authentication, authorization, or accounting).

To configure TACACS+ server groups, perform these steps:

Before you begin

For successful configuration, the external server should be accessible at the time of configuration. When configuring the same IP address for global configuration, server-private parameters are required.

Follow these steps to configure TACACS+ server groups.

Procedure

	1.	Configure the required server group settings. For details, see Configure TACACS+ server groups.
	2.	Verify the server group configuration. For details, see Verify TACACS+ server group configuration.

The configure TACACS+ server groups workflow is complete after the configuration and verification subtasks are complete.

Configure TACACS+ server group commands

Configure the settings required by Configure TACACS+ server groups.

This subtask contains the configuration command sequence from Configure TACACS+ server groups.

Before you begin

Follow these steps to configure TACACS+ server groups.

Procedure

	1.	Enter into the IOS XR configuration mode. Example: `RP/0/RP0/CPU0:ios# configure`
	2.	Create an AAA server-group and enter into the server group sub-configuration mode. Example: `RP/0/RP0/CPU0:ios(config)# aaa group server tacacs+ tacgroup1`
	3.	Configure the IP address of the private TACACS+ server for the group server. Example: `RP/0/RP0/CPU0:ios(config-sg-tacacs+)# server-private 10.1.1.1 port 49 key a_secret` Note You can configure a maximum of 10 TACACS+ private servers in a server group. If private server parameters are not specified, global configurations are used. If global configurations are not specified, default values are used.
	4.	Configure the authentication and encryption key used between NCS 1010 and the TACACS+ daemon running on the TACACS+ server. If no key string is specified, the global value is used. Example: `RP/0/RP0/CPU0:ios(config-sg-tacacs+)# key 7 08984B1A4D0C19157A5F57`
	5.	Configure the timeout value that sets the length of time the authentication, authorization, and accounting (AAA) server waits to receive a response from the TACACS+ server. Example: `RP/0/RP0/CPU0:ios(config-sg-tacacs-private)# timeout 4`
	6.	Repeat steps 3 to 5 for every private server to be added to the server group.
	7.	Configure certificate-based authentication for users configured in the TACACS+ server or server groups. Example: `RP/0/RP0/CPU0:ios(config-sg-tacacs-private)#aaa authorization exec default group TACACS_ALL local`
	8.	Set the default method list for authentication, and also enables authentication for console in global configuration mode. Example: `RP/0/RP0/CPU0:ios(config-sg-tacacs-private)#aaa authentication login default group TACACS_ALL local`
	9.	Commit the changes and exit all the configuration modes. commit end

The configuration commands for Configure TACACS+ server groups are applied.

Verify TACACS+ server group configuration

Verify the configuration created by Configure TACACS+ server groups.

This subtask contains the verification command from Configure TACACS+ server groups.

Before you begin

Follow these steps to verify TACACS+ server group configuration.

Procedure

Verify the TACACS+ server group configuration details.

Example:

RP/0/RP0/CPU0:ios# show tacacs server-groups

The command output displays the configured server group details.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.