cc/td/doc/product/software/ios121/121cgcr/secur_r
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

TACACS+ Commands

TACACS+ Commands

This chapter describes the commands used to configure TACACS+. TACACS+ provides detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled only through AAA commands.


Note   Refer to the "Authentication Commands" chapter, the "Authorization Commands" chapter, and the "Accounting Commands" chapter for information about commands specific to AAA.

For information on how to configure TACACS+, refer to the "Configuring TACACS+" chapter in the Cisco IOS Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the "TACACS+ Configuration Examples" section located at the end of the "Configuring TACACS+" chapter in the Cisco IOS Security Configuration Guide.


Note   TACACS and Extended TACACS commands are included in Cisco IOS Release 12.1 software for backward compatibility with earlier Cisco IOS releases; however, these commands are no longer supported and are not documented for this release.

Cisco recommends using only the TACACS+ security protocol with Cisco IOS Release 12.1 software. For a description of TACACS and Extended TACACS commands, refer to the "TACACS, Extended TACACS, and TACACS+ Commands" chapter in Cisco IOS Release 12.0 Security Command Reference at Cisco Connection Online (CCO).

Table 13 identifies Cisco IOS software commands available to the different versions of TACACS. Although TACACS+ is enabled through AAA and uses commands specific to AAA, there are some commands that are common to TACACS, Extended TACACS, and TACACS+. TACACS and Extended TACACS commands that are not common to TACACS+ are not documented in this release.


Table 13: TACACS Command Comparison
Cisco IOS Command TACACS Extended TACACS TACACS+

aaa accounting1

-

-

Yes

aaa authentication arap1

-

-

Yes

aaa authentication enable default1

-

-

Yes

aaa authentication login1

-

-

Yes

aaa authentication ppp1

-

-

Yes

aaa authorization1

-

-

Yes

aaa group server tacacs+

Yes

aaa new-model1

-

-

Yes

arap authentication1

-

-

Yes

arap use-tacacs

Yes

Yes

-

enable last-resort

Yes

Yes

-

enable use-tacacs

Yes

Yes

-

ip tacacs source-interface

Yes

Yes

Yes

login authentication1

-

-

Yes

login tacacs

Yes

Yes

-

ppp authentication1

Yes

Yes

Yes

ppp use-tacacs1

Yes

Yes

Yes

server

-

-

Yes

tacacs-server attempts

Yes

-

-

tacacs-server authenticate

Yes

Yes

-

tacacs-server directed-request

Yes

Yes

Yes

tacacs-server extended

-

Yes

-

tacacs-server host

Yes

Yes

Yes

tacacs-server key

-

-

Yes

tacacs-server last-resort

Yes

Yes

-

tacacs-server notify

Yes

Yes

-

tacacs-server optional-passwords

Yes

Yes

-

tacacs-server retransmit

Yes

Yes

-

tacacs-server timeout

Yes

Yes

-

1These commands are documented in separate chapters. Refer to the appropriate authentication, authorization, or accounting section of the Cisco IOS Security Command Reference or use the index to locate a command.

aaa group server tacacs

To group different server hosts into distinct lists and distinct methods, use the aaa group server command in global configuration mode. To remove a server group from the configuration list, enter the no form of this command.

aaa group server tacacs+ group-name

no aaa group server tacacs+ group-name

Syntax Description

tacacs+

Use only the TACACS+ server hosts.

group-name

Character string used to name the group of servers.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History
Release Modification

12.0(5)T

This command was introduced.

Usage Guidelines

The AAA server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service.

A server group is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A server group is used in conjunction with a global server host list. The server group lists the IP addresses of the selected server hosts.

Examples

The following example shows the configuration of an AAA group server named tacgroup1 that comprises three member servers:

aaa group server tacacs+ tacgroup1
    server 1.1.1.1 server 2.2.2.2 server 3.3.3.3

Related Commands
Command Description

aaa accounting

Enables AAA accounting of requested services for billing or security.

aaa authentication login

Enables AAA accounting of requested services for billing or security purposes.

aaa authorization

Sets parameters that restrict network access to a user.

aaa new-model

Enables the AAA access control model.

tacacs-server host

Specifies a TACACS+ host.

ip tacacs source-interface

To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration mode. Use the no form of this command to disable use of the specified interface IP address.

ip tacacs source-interface subinterface-name

no ip tacacs source-interface

Syntax Description

subinterface-name

Name of the interface that TACACS+ uses for all of its outgoing packets.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History
Release Modification

10.0

This command was introduced.

Usage Guidelines

Use this command to set a subinterface's IP address for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.

This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address.

The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.

Examples

The following example makes TACACS+ use the IP address of subinterface s2 for all outgoing TACACS+ packets:

ip tacacs source-interface s2

Related Commands
Command Description

ip radius source-interface

Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.

ip telnet source-interface

Allows a user to select an address of an interface as the source address for Telnet connections.

ip tftp source-interface

Allows a user to select the interface whose address will be used as the source address for TFTP connections.

server (TACACS+)

To configure the IP address of the TACACS+ server for the group server, use the server command in group server configuration mode. To remove the IP address of the RADIUS server, enter the no form of this command.

server ip-address

no server ip-address

Syntax Description

ip-address

IP address of the selected server.

Defaults

No default behavior or values.

Command Modes

TACACS+ group server configuration

Command History
Release Modification

12.0(5)T

This command was introduced.

Usage Guidelines

Enter the server command to specify the IP address of the TACACS+ server. Also configure a matching tacacs-server host entry in the global list. If there is no response from the first host entry, the next host entry is tried.

Examples

The following example shows server host entries configured for the RADIUS server:

aaa new-model
aaa authentication ppp default group g1
aaa group server tacacs+ g1
    server 1.0.0.1 server 2.0.0.1
tacacs-server host 1.0.0.1 
tacacs-server host 2.0.0.1 

Related Commands
Command Description

aaa new-model

Enables the AAA access control model.

aaa server group

Groups different server hosts into distinct lists and distinct methods.

tacacs-server host

Specifies a RADIUS server host.

tacacs-server directed-request

To send only a username to a specified server when a direct request is issued, use the tacacs-server directed-request global configuration command. Use the no form of this command to send the entire string to the TACACS+ server.

tacacs-server directed-request [ restricted ] [ no-truncate ]

no tacacs-server directed-request

Syntax Description

restricted

(Optional) Restrict queries to directed request servers only.

no-truncate

(Optional) Do not truncate the @hostname from the username.

Defaults

Enabled

Command Modes

Global configuration

Command History
Release Modification

11.1

This command was introduced.

Usage Guidelines

This command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. In other words, with the directed-request feature enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server.

Disabling tacacs-server directed-request causes the whole string, both before and after the "@" symbol, to be sent to the default TACACS+ server. When the directed-request feature is disabled, the router queries the list of servers, starting with the first one in the list, sending the whole string, and accepting the first response that it gets from the server. The tacacs-server directed-request command is useful for sites that have developed their own TACACS+ server software that parses the whole string and makes decisions based on it.

With tacacs-server directed-request enabled, only configured TACACS+ servers can be specified by the user after the "@" symbol. If the host name specified by the user does not match the IP address of a TACACS+ server configured by the administrator, the user input is rejected.

Use no tacacs-server directed-request to disable the ability of the user to choose between configured TACACS+ servers and to cause the entire string to be passed to the default server.

Examples

The following example enables tacacs-server directed-request so that the entire user input is passed to the default TACACS+ server:

no tacacs-server directed-request

tacacs-server host

To specify a TACACS+ host, use the tacacs-server host command in global configuration mode. Use the no form of this command to delete the specified name or address.

tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]

no tacacs-server host hostname

Syntax Description

hostname

Name or IP address of the host.

single-connection

(Optional) Specify that the router maintain a single open connection for confirmation from a AAA/TACACS+ server (CiscoSecure Release 1.0.1 or later). This command contains no autodetect and fails if the specified host is not running a CiscoSecure daemon.

port

(Optional) Specify a server port number. This option overrides the default, which is port 49.

integer

(Optional) Port number of the server. Valid port numbers range from 1 to 65535.

timeout

(Optional) Specify a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.

integer

(Optional) Integer value, in seconds, of the timeout interval.

key

(Optional) Specify an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only.

string

(Optional) Character string specifying authentication and encryption key.

Defaults

No TACACS+ host is specified.

Command Modes

Global configuration

Command History
Release Modification

10.0

This command was introduced.

Usage Guidelines

You can use multiple tacacs-server host commands to specify additional hosts. The Cisco IOS software searches for hosts in the order in which you specify them. Use the single-connection, port, timeout, and key options only when running a AAA/TACACS+ server.

Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by uniquely configuring individual routers.

Examples

The following example specifies a TACACS+ host named Sea_Change:

tacacs-server host Sea_Change
 

The following example specifies that, for AAA confirmation, the router consults the TACACS+ server host named Sea_Cure on port number 51. The timeout value for requests on this connection is three seconds; the encryption key is a_secret.

tacacs-server host Sea_Cure single-connection port 51 timeout 3 key a_secret

Related Commands
Command Description

ppp

Starts an asynchronous connection using PPP.

slip

Starts a serial connection to a remote host using SLIP.

tacacs-server key

Sets the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon.

tacacs-server key

To set the authentication encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon, use the tacacs-server key command in global configuration mode. Use the no form of this command to disable the key.

tacacs-server key key

no tacacs-server key [key]

Syntax Description

key

Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History
Release Modification

11.1

This command was introduced.

Usage Guidelines

After enabling AAA with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command.

The key entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and at the end of the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.

Examples

The following example sets the authentication and encryption key to "dare to go":

tacacs-server key dare to go

Related Commands
Command Description

aaa new-model

Enables the AAA access control model.

tacacs-server host

Specifies a TACACS+ host.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Wed Sep 13 15:54:22 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.