TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+, usually pronounced like tack-axe) is an access control network protocol for network devices.
The differences between RADIUS and TACACS+ can be summarized as follows:
• RADIUS combines authentication and authorization in a user profile, while TACACS+ provides separate authentication.
• RADIUS encrypts only the password in the access-request packet sent from the client to the server. The remainder of the packet is unencrypted. TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header.
• RADIUS uses UDP, while TACACS+ uses TCP.
• RADIUS is based on an open standard (RFC 2865). TACACS+ is proprietary to Cisco, although it is an open, publicly documented protocol (there is no RFC protocol specification for TACACS+).
Note: Only network administrators can execute these commands. For more, see the
username command.
Note: The commands below are supported only on the “management” VRF.
This chapter contains these commands:
add policy
Use this command to add a policy to a TACACS+ role-based authorization (RBAC) role.
Use the no form of this command to remove a policy from an RBAC role.
Command Syntax
add policy POLICY-NAME
no add policy POLICY-NAME
Parameters
POLICY-NAME
Name of the policy
Default
None
Command Mode
RBAC role mode
Applicability
This command was introduced in OcNOS version 1.3.5.
Examples
(config)#role myRole
(config-role)#default permit-all
(config-role)#add policy myPolicy1
(config-role)#no add policy myPolicy2
clear tacacs-server counters
Use this command to clear the counter on a specified TACACS server.
Syntax
clear tacacs-server ((HOSTNAME | X:X::X:X | A.B.C.D)|) counters (vrf (management | all)|)
Parameters
HOSTNAME
The name of the server
X:X::X:X
IPv6 address of the server
A.B.C.D
IPv4 address of the server
vrf
VRF of the sever
management
The management VRF
all
All VRFs
Default
NA
Command Mode
Executive mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#clear tacacs-server 10.1.1.1 counters
debug tacacs+
Use this command to display TACACS+ debugging information.
Use the no form of this command stop displaying TACACS+ debugging information.
Command Syntax
debug tacacs+
no debug tacacs+
Parameters
None
Default
Disabled
Command Mode
Executive mode and configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#debug tacacs+
default
Use this command to set the default rule for a TACACS+ role-based authorization (RBAC) role.
Use the no parameter with this command to remove the default rule for a TACACS+ role-based authorization (RBAC) role.
Command Syntax
default (permit-all | deny-all)
no default
Parameters
permit-all
Permit all commands
deny-all
Deny all commands
Default
Unless you explicitly give this command, the default rule for a role is deny-all.
Command Mode
RBAC role mode
Applicability
This command was introduced in OcNOS version 1.3.5.
Examples
(config)#role myRole
(config-role)#default permit-all
(config-role)#add policy myPolicy1
(config-role)#add policy myPolicy2
deny
Use this command to add a deny rule to a TACACS+ role-based authorization (RBAC) policy.
Use the no form of this command to remove a deny rule from an RBAC policy.
Command Syntax
deny RULE-STRING (mode MODE-NAME |)
no deny RULE-STRING (mode MODE-NAME |)
Parameters
RULE-STRING
Command string
MODE-NAME
Command prompt string such as “config-router” or “config-if”. Deny access to the command only in this mode.
Default
None
Command Mode
RBAC policy mode
Applicability
This command was introduced in OcNOS version 1.3.5.
Examples
#configure terminal
(config)#policy myPolicy
(config-policy)#deny “ip address” mode config-if
feature dynamic-rbac
Use this command to enable the TACACS+ role-based authorization (RBAC) feature.
Use the no form of this command to disable the RBAC feature.
Command Syntax
feature dynamic-rbac
no feature dynamic-rbac
Parameters
None
Default
By default, feature TACACS+ RBAC is disabled
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 1.3.5.
Examples
#configure terminal
(config)#feature dynamic-rbac
feature tacacs+
Use this command to enable the TACACS+ feature.
Use the no form of this command to disable the TACACS+ feature.
Command Syntax
feature tacacs+ (vrf management|)
no feature tacacs+ (vrf management|)
Parameters
vrf
Virtual Routing and Forwarding
management
Management VRF
Default
By default, feature tacacs+ is disabled
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#feature tacacs+ vrf management
permit
Use this command to add a permit rule to a TACACS+ role-based authorization (RBAC) policy.
Use the no form of this command to remove a permit rule in an RBAC policy.
Command Syntax
permit RULE-STRING (mode MODE-NAME |)
no permit RULE-STRING (mode MODE-NAME |)
Parameters
RULE-STRING
Command string
MODE-NAME
Command prompt string such as “config-router” or “config-if”. Permit access to the command only in this mode.
Default
None
Command Mode
RBAC policy mode
Applicability
This command was introduced in OcNOS version 1.3.5.
Examples
#configure terminal
(config)#policy myPolicy
(config-policy)#permit “ip address” mode config-if
policy
Use this command to create a TACACS+ role-based authorization (RBAC) policy and enter RBAC policy mode.
Use the no form of this command to remove an RBAC policy.
Command Syntax
policy POLICY-NAME
no policy POLICY-NAME
Parameters
POLICY-NAME
Policy name
Default
None
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 1.3.5.
Examples
#configure terminal
(config)#policy myPolicy
(config-policy)#permit “ip address” mode config-if
role
Use this command to create a TACACS+ role-based authorization (RBAC) role and enter RBAC role mode.
Use the no form of this command to remove an RBAC role.
Command Syntax
role ROLE-NAME
no role ROLE-NAME
Parameters
ROLE-NAME
Role name.
You cannot specify one of these roles already defined in OcNOS:
network-admin
network-user
network-operator
network-engineer
For more about these built-in roles, see
username.
Default
None
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 1.3.5.
Examples
(config)#role myRole
(config-role)#default permit-all
(config-role)#add policy myPolicy1
(config-role)#add policy myPolicy2
show debug tacacs+
Use this command to display whether TACACS+ debugging is enabled.
Command Syntax
show debug tacacs+
Parameters
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show debug tacacs+
TACACS client debugging is on
show rbac-policy
Use this command to display TACACS+ role-based authorization (RBAC) policies.
Command Syntax
show rbac-policy (POLICY-NAME |)
Parameters
POLICY-NAME
Policy name
Default
None
Command Mode
Exec and privileged exec mode
Applicability
This command was introduced in OcNOS version 1.3.5.
Examples
#show rbac-policy myPolicy
----------------------------------------------------------------------
Policy Name : myPolicy
permit "ip address" mode config-if
show rbac-role
Use this command to display information about TACACS+ role-based authorization (RBAC) roles.
Command Syntax
show rbac-role (ROLE-NAME |)
Parameters
ROLE-NAME
Role name
Default
None
Command Mode
Exec and privileged exec mode
Applicability
This command was introduced in OcNOS version 1.3.5.
Examples
#show rbac-role myRole
----------------------------------------------------------------------
Role Name : myRole
Default rule : permit-all
Attached Policies : myPolicy1
: myPolicy2
----------------------------------------------------------------------
Table 27-81 explains the output fields.
Table 27-81: show rbac-role fields
Entry | Description |
|---|
Role Name | Role name |
Default rule | permit-all or deny-all |
Attached Policies | Name of policies attached to this role |
show running-config tacacs+
Use this command to display TACACS+ settings in the running configuration.
Command Syntax
show running-config tacacs+
Parameters
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show running-config tacacs+
feature tacacs+ vrf management
tacacs-server login host 10.16.19.2 vrf management seq-num 1 key 7 0x9f4a8983e0216052
Table 27-82 explains the output fields.
Table 27-82: show running-config fields
Entry | Description |
|---|
TACAS server host | TACACS+ server Domain Name Server (DNS) name. |
Seq-num | Sequence number of user authentication attempt with the TACACS+ server. |
VRF Management | The management traffic using VPN Routing and Forwarding (VRFs). |
show tacacs-server
Use this command to display the TACACS+ server configuration.
Command Syntax
show tacacs-server (|vrf (management|all))((WORD)|(groups (GROUP|)|)|(sorted)
Parameters
WORD
DNS host name or IP address
groups
TACACS+ server group
GROUP
Group name; if this parameter is not specified, display all groups
sorted
Sort by TACACS+ server name
vrf
management or all VRFs
Command Mode
Executive mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show tacacs-server
total number of servers:1
Tacacs+ Server : 192.168.10.215/49(*)
Sequence Number : 1
Failed Auth Attempts : 0
Success Auth Attempts : 14
Failed Connect Attempts : 0
Last Successful authentication: 2017 December 18, 12:27:13
(*) indicates last active.
Table 27-83 explains the output fields.
Table 27-83: show tacacs-server output fields
Field | Description |
|---|
Sequence Number | Sequence number of user authentication attempt with the TACACS+ server. |
Failed Auth Attempts | Number of times user authentication failed with the TACACS+ server. Increments for server key mismatches and password mismatches or wrong password for the user. |
Success Auth Attempts | Number of times user authenticated with TACACS+ server. Increments for each successful login. |
Failed Connect Attempts | Number of failed TCP socket connections to the TACACS+ server. Increments for server connection failure cases such as server not-reachable, server port mismatches. |
Last Successful authentication | Timestamp when user successfully authenticated with the TACACS+ server. |
tacacs-server login host
Use this command to set the TACACS+ server host name or IP address.
Use the no form of this command to remove an TACACS+ server (if only a host name or IP address is specified as parameter) or to remove all of a TACACS+ server's configuration settings (if any other parameters are also specified).
Command Syntax
tacacs-server login host (HOSTNAME | X:X::X:X | A.B.C.D) (vrf management|) (seq-num <1-8> |) (key ((0 WORD) | (7 WORD) | (WORD))|) (port <1025-65535> |) (timeout <1-60> |)
no tacacs-server login host (HOSTNAME | A.B.C.D | X:X::X:X) (vrf management|)
no tacacs-server login host (HOSTNAME | X:X::X:X | A.B.C.D) (vrf management|) (key ((0 WORD) | (7 WORD) | (WORD))|) (port <1025-65535> |) (timeout <1-60> |)
Parameters
HOSTNAME
Host name
X:X::X:X
IPv6 address
A.B.C.D
IPv4 address
vrf
Virtual Routing and Forwarding
management
Management VRF
seq-num
Sequence Number / Priority index for tacacs-servers
key
Authentication and encryption key (“shared secret”)
0
Unencrypted (clear text) shared key
WORD
Unencrypted key value; maximum length 63 characters
7
Hidden shared key
WORD
Hidden key value; maximum length 512 characters
WORD
Unencrypted (clear text) shared key value; maximum length 63 characters
port
TACACS+ server port
<1205-65535>
TACACS+ server port number; the default is 49
timeout
TACACS+ server timeout
<1-60>
Timeout value in seconds; default is 5 seconds
Default
Enable authentication for TACACS+ server configured. Authorization is also enabled by default. The default server port is 49.The default timeout value is 5 seconds.
There is no command to enable authorization. Authorization functionality is enabled by default when remote.
authentication is enabled with TACACS+.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#tacacs-server login host 203.0.113.31 vrf management
tacacs-server login key
Use this command to set a global preshared key (“shared secret”) which is a text string shared between the device and TACACS+ servers.
Use the no form of this command to remove a global preshared key.
Command Syntax
tacacs-server login key ((0 WORD) | (7 WORD) | (WORD)) (vrf management|)
no tacacs-server login key ((0 WORD) | (7 WORD) | (WORD)) (vrf management|)
Parameters
0
Unencrypted (clear text) shared key
WORD
Unencrypted key value; maximum length 63 characters
7
Hidden shared key
WORD
Hidden key value; maximum length 512 characters
WORD
Unencrypted (clear text) shared key value; maximum length 63 characters
vrf
Virtual Routing and Forwarding
management
Management VRF
Default
Disabled
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#tacacs-server login key 7 jvn05mlQH1 vrf management
tacacs-server login timeout
Use this command to set the period to wait for a response from the server before the client declares a timeout failure. The default timeout value is 5 seconds.
You can only give this command when the TACACS+ feature is enabled.
Use the no form of this command to set the timeout value to its default value (5 seconds).
Note: TELNET client session's default timeout is 60 seconds, so configuring timeout of 60 seconds timeout impacts TELNET client applications, because it cannot be fallback to use the other configured server/group. Hence it is recommended to configure 57 seconds or lesser timeout while using TELNET. This timeout doesn't have an impact on SSH connections.
Command Syntax
tacacs-server login timeout <1-60> (vrf management|)
no tacacs-server login timeout (vrf management|)
Parameters
<1-60>
Timeout value in seconds
vrf
Virtual Routing and Forwarding
management
Management VRF
Default
Disabled
Command Mode
Configure mode
Applicability
This command is introduced in OcNOS version 1.3.9
Examples
#configure terminal
(config)#tacacs-server login timeout 35 vrf management