Configuring TACACS+ Individually

17 Mar

Configuring TACACS+ Individually
The second method used to enable TACACS+ allows a finer granularity of control in specifying features on a per−security−server basis. This method is generally used in environments that use multiple TACACS+ servers, and each server is configured to use separate values. Use the following steps to enable this method of TACACS+ configuration:

1.Use the aaa new−model global configuration command to enable AAA. This command establishes a new AAA configuration. The command must be configured if you plan to support the TACACS+ protocol.

2.Use the following command to specify the IP address of one or more TACACS+ servers:

tacacs−server host hostname <single−connection> <port integer>
<timeout <integer> <key string>

The network access server searches for the hosts in the order specified; this feature allows you to set up a list of preferred servers.

The optional single−connection argument specifies that the network access server should maintain a single connection to the TACACS+ server as opposed to having the network access server open and close a TCP connection to the daemon process on the TACACS+ server each time it needs to communicate with the server. This allows the daemon process on the TACACS+ server to handle a higher number of TACACS+ operations. The default TCP port the network access server uses to communicate with the TACACS+ server may be changed using the portinteger argument. If this argument is not specified, the default TCP port 49 is used. The timeout integer argument allows the network access server to specify the period of time it will wait for a response from the TACACS+ server daemon before it times out and declares an error; the default is set to 5 seconds. The key string argument allows for specification of an encryption key for encrypting and decrypting all traffic between the network access server and the TACACS+ daemon. The key string configured on the network access server must match the key string configured on the TACACS+ server or all communication between the devices will fail.

As mentioned, there are two different methods used to enable the TACACS+ process on a Cisco router. The Cisco IOS allows you to configure many values at a global level, which affects all other related values configured on the router. The method detailed in this section allows you to enhance security on your network by uniquely configuring individual TACACS+ connections for multiple servers and applying separate values for each server. Use the preceding configuration in instances in which your network has many independent TACACS+ servers and each server has different values configured.

Note Some of the parameters of the tacacs−server host command override other globally configured TACACS+ commands.

Figure 2.9 shows another TACACS+ server added to the local network. The new TACACS+ server has an IP address of This server is configured to use a different key value and timeout value than the server located at IP address

config t
aaa new−model
tacacs−server host single−connection key 1Cisco9
tacacs−server host single−connection timeout 15 –
key 2Systems8

Figure 2.9: Multiple TACACS+ servers.
This configuration names two TACACS+ servers: and TACACS+ server is configured as it was in the global configuration; only the single−connection option has been added to the configuration. However, the server has been added to the network and the values that the network access server needs to have configured are different for this server. Notice the timeout value—the network access waits for a response from the security server according to the timeout value, which has been changed from the default value of 5 seconds to a value of 15 seconds. The encryption key and authentication that is used to communicate with this server has been changed as well. Issuing the show running−config command allows you to view the results of the configuration:

Seminole#show running−config
hostname Seminole
aaa new−model
tacacs−server host single−connection key 1Cisco9
tacacs−server host single−connection timeout –
15 key 2Systems8

After you verify that the configuration changes are correct, the next command you should issue is the show tacacs command. The output of this command verifies that the network access server and the TACACS+ server are communicating properly. Here is the output of the sh tacacs command:

Server: opens=127 closes=126 aborts=24 errors=1
packets in=1083 packets out=1233 expected replies=0
connection 623F8098 state=ESTAB

Server: opens=1 closes=0 aborts=0 errors=0
packets in=14 packets out=14 expected replies=0
connection 623FFC28 state=CLOSEWAIT

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.