TACACS+
Terminal Access Controller Access-Control System Plus (TACACS+, usually pronounced like tack-axe) is an access control network protocol for network devices.
The differences between RADIUS and TACACS+ can be summarized as follows:
• RADIUS combines authentication and authorization in a user profile, while TACACS+ provides separate authentication.
• RADIUS encrypts only the password in the access-request packet sent from the client to the server. The remainder of the packet is unencrypted. TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header.
• RADIUS uses UDP, while TACACS+ uses TCP.
• RADIUS is based on an open standard (RFC 2865). TACACS+ is proprietary to Cisco, although it is an open, publicly documented protocol (there is no RFC protocol specification for TACACS+).
Note: Only network administrators can execute these commands. For more, see the
username command.
Note: The commands below are supported only on the “management” VRF.
This chapter contains these commands:
• add policy
• default
• deny
• feature dynamic-rbac
• permit
• policy
• role
• show rbac-policy
• show rbac-role
clear tacacs-server counters
Use this command to clear the counter on a specified TACACS server.
Syntax
clear tacacs-server ((HOSTNAME | X:X::X:X | A.B.C.D)|) counters (vrf (management | all)|)
Parameters
HOSTNAME
The name of the server
X:X::X:X
IPv6 address of the server
A.B.C.D
IPv4 address of the server
vrf
VRF of the sever
management
The management VRF
all
All VRFs
Default
NA
Command Mode
Executive mode
Applicability
This command was introduced before OcNOS version 1.3.
Example
#clear tacacs-server 10.1.1.1 counters
debug tacacs+
Use this command to display TACACS+ debugging information.
Use the no form of this command stop displaying TACACS+ debugging information.
Command Syntax
debug tacacs+
no debug tacacs+
Parameters
None
Default
Disabled.
Command Mode
Executive mode and configure mode.
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#debug tacacs+
feature tacacs+
Use this command to enable the TACACS+ feature.
Use the no form of this command to disable the TACACS+ feature.
Command Syntax
feature tacacs+ (vrf management|)
no feature tacacs+ (vrf management|)
Parameters
vrf
Virtual Routing and Forwarding
management
Management VRF
Default
By default, feature tacacs+ is disabled.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#feature tacacs+ vrf management
show debug tacacs+
Use this command to display whether TACACS+ debugging is enabled.
Command Syntax
show debug tacacs+
Parameters
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show debug tacacs+
TACACS client debugging is on
show running-config tacacs+
Use this command to display TACACS+ settings in the running configuration.
Command Syntax
show running-config tacacs+
Parameters
None
Command Mode
Exec mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show running-config tacacs+
feature tacacs+ vrf management
tacacs-server login host 10.16.19.2 vrf management seq-num 1 key 7 0x9f4a8983e0216052
Table 15-27 explains the output fields.
Table 15-27: show running-config fields
Entry | Description |
|---|
TACAS server host | TACACS+ server Domain Name Server (DNS) name. |
Seq-num | Sequence number of user authentication attempt with the TACACS+ server. |
VRF Management | The management traffic using VPN Routing and Forwarding (VRFs). |
show tacacs-server
Use this command to display the TACACS+ server configuration.
Command Syntax
show tacacs-server (|vrf (management|all))((WORD)|(groups (GROUP|)|)|(sorted)
Parameters
WORD
DNS host name or IP address
groups
TACACS+ server group
GROUP
Group name; if this parameter is not specified, display all groups
sorted
Sort by TACACS+ server name
vrf
management or all VRFs
Command Mode
Executive mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#show tacacs-server
total number of servers:1
Tacacs+ Server : 192.168.10.215/49(*)
Sequence Number : 1
Failed Auth Attempts : 0
Success Auth Attempts : 14
Failed Connect Attempts : 0
Last Successful authentication: 2017 December 18, 12:27:13
(*) indicates last active.
Table 15-28 explains the output fields.
Table 15-28: show tacacs-server output fields
Field | Description |
|---|
Sequence Number | Sequence number of user authentication attempt with the TACACS+ server. |
Failed Auth Attempts | Number of times user authentication failed with the TACACS+ server. Increments for server key mismatches and password mismatches or wrong password for the user. |
Success Auth Attempts | Number of times user authenticated with TACACS+ server. Increments for each successful login. |
Failed Connect Attempts | Number of failed TCP socket connections to the TACACS+ server. Increments for server connection failure cases such as server not-reachable, server port mismatches. |
Last Successful authentication | Timestamp when user successfully authenticated with the TACACS+ server. |
tacacs-server login host
Use this command to set the TACACS+ server host name or IP address.
Use the no form of this command to remove an TACACS+ server (if only a host name or IP address is specified as parameter) or to remove all of a TACACS+ server's configuration settings (if any other parameters are also specified).
Command Syntax
tacacs-server login host (HOSTNAME | X:X::X:X | A.B.C.D) (vrf management|) (seq-num <1-8> |) (key ((0 WORD) | (7 WORD) | (WORD))|) (port <1025-65535> |) (timeout <1-60> |)
no tacacs-server login host (HOSTNAME | A.B.C.D | X:X::X:X) (vrf management|)
no tacacs-server login host (HOSTNAME | X:X::X:X | A.B.C.D) (vrf management|) (key ((0 WORD) | (7 WORD) | (WORD))|) (port <1025-65535> |) (timeout <1-60> |)
Parameters
HOSTNAME
Host name
X:X::X:X
IPv6 address
A.B.C.D
IPv4 address
vrf
Virtual Routing and Forwarding
management
Management VRF
seq-num
Sequence Number / Priority index for tacacs-servers
key
Authentication and encryption key (“shared secret”)
0
Unencrypted (clear text) shared key
WORD
Unencrypted key value; maximum length 63 characters
7
Hidden shared key
WORD
Hidden key value; maximum length 512 characters
WORD
Unencrypted (clear text) shared key value; maximum length 63 characters
port
TACACS+ server port
<1205-65535>
TACACS+ server port number; the default is 49
timeout
TACACS+ server timeout
<1-60>
Timeout value in seconds; default is 5 seconds
Default
Enable authentication for TACACS+ server configured. Authorization is also enabled by default. The default server port is 49.The default timeout value is 5 seconds.
There is no command to enable authorization. Authorization functionality is enabled by default when remote.
authentication is enabled with TACACS+.
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#tacacs-server login host 203.0.113.31 vrf management
tacacs-server login key
Use this command to set a global preshared key (“shared secret”) which is a text string shared between the device and TACACS+ servers.
Use the no form of this command to remove a global preshared key.
Command Syntax
tacacs-server login key ((0 WORD) | (7 WORD) | (WORD)) (vrf management|)
no tacacs-server login key ((0 WORD) | (7 WORD) | (WORD)) (vrf management|)
Parameters
0
Unencrypted (clear text) shared key
WORD
Unencrypted key value; maximum length 63 characters
7
Hidden shared key
WORD
Hidden key value; maximum length 512 characters
WORD
Unencrypted (clear text) shared key value; maximum length 63 characters
vrf
Virtual Routing and Forwarding
management
Management VRF
Default
Disabled
Command Mode
Configure mode
Applicability
This command was introduced before OcNOS version 1.3.
Examples
#configure terminal
(config)#tacacs-server login key 7 jvn05mlQH1 vrf management
tacacs-server login timeout
Use this command to set the period to wait for a response from the server before the client declares a timeout failure. The default timeout value is 5 seconds.
You can only give this command when the TACACS+ feature is enabled.
Use the no form of this command to set the timeout value to its default value (5 seconds).
Note: TELNET client session's default timeout is 60 seconds, so configuring timeout of 60 seconds timeout impacts TELNET client applications, because it cannot be fallback to use the other configured server/group. Hence it is recommended to configure 57 seconds or lesser timeout while using TELNET. This timeout doesn't have an impact on SSH connections.
Command Syntax
tacacs-server login timeout <1-60> (vrf management|)
no tacacs-server login timeout (vrf management|)
Parameters
<1-60>
Timeout value in seconds
vrf
Virtual Routing and Forwarding
management
Management VRF
Default
Disabled
Command Mode
Configure mode
Applicability
This command is introduced in OcNOS version 1.3.9
Examples
#configure terminal
(config)#tacacs-server login timeout 35 vrf management