Configuring Cisco Secure ACS and TACACS+

Configuring Cisco Secure ACS and TACACS+

Basic Cisco Secure ACS configuration for TACACS+ support is performed using the Interface Configuration button on the ACS HTML interface. The interface settings enable you to display or hide TACACS+ administrative and accounting options. You can simplify the HTML interface by hiding the features you don’t use. Figure 4-13 shows configuring TACACS+ options and features.

The TACACS+ section includes three areas:

TACACS+ Services Settings

This section lists the most commonly used TACACS+ services and protocols. Select each TACACS+ service to appear as a configurable option on either the User Setup page or the Group Setup page.

New Services

Specify any services or protocols unique to your network configuration.

Advanced Configuration Options

Advanced TACACS+ features.

To configure the user interface for TACACS+ options, follow these steps:

  1. Click the Interface Configuration button.

  2. Click TACACS+. The TACACS+ Interface Configuration section appears.

  3. In the TACACS+ Services table, select the check box for each TACACS+ service you want displayed on the applicable setup page.

  4. To add new services and protocols, follow these steps:

    1. In the New Services section of the TACACS+ Services table, type in the Service and Protocol to add.

    2. Use the appropriate check box to select those to be displayed for configuration either under User Setup or Group Setup, or both.

  5. In the Advanced Configurations Options section, select the check boxes of the display options you want to enable.

  6. When you finish setting TACACS+ interface display options, click Submit. The selections made in this procedure determine what TACACS+ options Cisco Secure ACS displays in other sections of the HTML interface.

Configure NAS to TACACS+ Server Communication

Chapter 3 looked at the various commands to implement AAA features on the NAS. This chapter reviews the basic commands to allow the AAA client running on a NAS to locate and communicate with a Cisco Secure ACS TACACS+ server.

To define one or more TACACS servers, use the tacacs-server host global configuration command. Use the no form of this command to delete the specified server. The syntax is

Rtr1(config)#tacacs-server host {hostname | ip address} [single-connection] [port port#]
[timeout seconds] [key string]
Rtr1(config)#no tacacs-server host hostname


Name of the TACACS+ server.


IP address of the TACACS+ server.


(Optional) Specify that the router maintain a single open connection for confirmation from the AAA/TACACS+ server. This command contains the no autodetect feature and fails if the host isn’t running a CiscoSecure daemon.


(Optional) Overrides the default, which is port 49.


(Optional) Port number of the server (range 1 to 65535).


(Optional) Overrides the global timeout value set with the global tacacs-server timeout command for this server only.


(Optional) New timeout interval in seconds.


(Optional) Specify an authentication and encryption key. This must match the key used by the TACACS+ daemon. This key overrides the key set by the global command tacacs-server key for this server only.


(Optional) Character string to use as the authentication and encryption key.

Multiple tacacs-server host commands can be used to specify additional host servers. The Cisco IOS software searches for hosts in the order in which they’re specified. Use the single-connection, port, timeout, and key options only when running an AAA/TACACS+ server.

Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, this command can be used to enhance security on a network by uniquely configuring individual TACACS+ connections.

The following AAA example specifies that the router first try the CiscoSecure TACACS+ host If is unavailable, then use tac-serv1.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server host
Rtr1(config)#tacacs-server host tac-serv1

The next AAA example specifies that the router consult the CiscoSecure TACACS+ host named on port number 51. The timeout value for requests on this connection is three seconds. The encryption key is a_secret.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server host single-connection port 51 
 ????timeout 3 key a_secret 

Define TACACS+ Server Key Option

The authentication and encryption key must be set using the tacacs-server key global configuration command. Use the no form of this command to disable the key.

Rtr1(config)#tacacs-server key key
Rtr1(config)#no tacacs-server key [key]


A character entry, this key must match the key used on the TACACS+ daemon. Any leading spaces are ignored, but spaces within and at the end of the key are not ignored. Don’t enclose the key in quotation marks unless those quotation marks are part of the key.

The following example shows an AAA TACACS+ implementation with the authentication and encryption key set to seattle19:

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server host
Rtr1(config)#tacacs-server key seattle19

Part III: Virtual Private Networks (VPNs)