Home
Support
Product Support
Routers
Cisco SD-WAN
Configuration Guides

Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

View all Saved Content

PDF

Is this content helpful?

Helpful Unhelpful

Suggestions for Improvement

Thank you for your feedback. Your response has been recorded.

Ask about this content

Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

Expand all sections

About this content

Users and Access

Users and access
Account lockout
User sessions
Ciscotac user access

Password Management

Hardened passwords
Type 6 passwords

Authentication

Authentication
Authentication order
Authentication fallback mechanism
Duo Multi-factor authentication
RADIUS authentication
SSH authentication
IEEE 802.1X authentication
Authentication, Authorization, and Accounting
Posture assessment support

Role-Based Access Control

Role-Based Access Control
Restrictions for configuring RBAC
RBAC by VPN
RBAC with AAA
User authorization rules for operational and configuration commands
RBAC by scope
Granular RBAC
RBAC for policies
Configure RBAC for CFlowd policy
Assigning roles to users defined by identity providers
Configure RBAC
Prerequisites for Application Catalog features
Manage user group permissions
Configure Users
Configure user sessions
Configure VPN segments
Configure VPN groups
Verify granular RBAC permissions
Monitor devices for VPN groups

Ciscotac user access

Updated: April 24, 2026

Want to summarize with AI?

On this page

Ciscotac user accounts and privileges

Limitations for Ciscotac user access

Ciscotac user sessions
Removing Ciscotac users

Introduces Ciscotac user access, covering key concepts and specific limitations to guide secure and effective use within the network environment.

Ciscotac user access

Cisco Edge software provides two special user accounts, ciscotacro and ciscotacrw, for use by the Cisco Support team. These user accounts

operate using a consent-token challenge and token response authentication, requiring a new token for each login session, and
can access SD-WAN Manager web server, SSH Terminal on SD-WAN Manager using a token, including SD-WAN Validator, SD-WAN Controllers, and Cisco vEdge devices.

You can use these user accounts in both cloud and on-premises installations.

Ciscotac user accounts and privileges

The default CLI templates include configuration for the ciscotacro and ciscotacrw users. These users are enabled by default but you can disable them if needed.

ciscotacro user: This account belongs to the operator user group and has read-only privileges. This account allows monitoring configurations but does not permit operations that modify network configurations.
ciscotacrw user: This account belongs to the netadmin user group and has read-write privileges. This account allows modification of network configurations. Only this user can access the root shell using a consent token.

To allow the network administrator can access system shell, use the tools consent-token command. Starting Cisco Catalyst SD-WAN Control Components Release 20.12.x, the request support ciscotac command is deprecated.

Limitations for Ciscotac user access

Ciscotac user sessions

Only 16 concurrent sessions are supported for the ciscotacro and ciscotacrw users.
The session duration is restricted to four hours. It is not configurable.
The inactivity timer functionality closes user sessions that have been idle for a specified period of time. This feature is enabled by default and the timeout value is 30 minutes. However, the user configuration includes the option of extending the inactivity timer.

Removing Ciscotac users

You can remove the ciscotacro and ciscotacrw users. If removed, you can open a case and share temporary login credentials or share the screen with the Cisco Support team for troubleshooting an issue.

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.