Cisco Systems: TACACS+ authentication

TACACS+ brief introduction

1. Utilizes TCP 49.

2. Encrypts the entire packet.

3. Separates authentication, authorization and accounting.

Setting up Cisco ACS
The task here is to create a user group, user account and setup the network configuration to get it started.

Click on Network Configuration, under AAA Clients click Add Entry

The AAA Client IP address is actually the authenticator’s address which is the Cisco ASA I am using for this lab. The Cisco ASA is the authenticator that actually sends out authentication request to the supplicant on behalf of Cisco ACS. The shared secret is the secret between ACS and Cisco ASA.

After finished just click Submit+Apply.

There is a default group 0 which you can modify the settings, the Cisco ACS I am using is version 4.2 which is outdated and could not support the Cisco ASA software, it supports IOS though.

Click on Group setup and jump to TACACS+

The newer version of ACS 5.2 should be able to configure the authorization for Cisco ASA command sets.

Then you can add a user and attach the user to the group.


I actually did not check on the separate checkbox and only supply the Cisco Secure PAP password.

Cisco ASA

ciscoasa(config)# aaa-server group1 protocol tacacs+
ciscoasa(config-aaa-server-group)# accounting-mode single
ciscoasa(config-aaa-server-group)# max-failed-attempts 5
ciscoasa(config-aaa-server-group)# reactivation-mode depletion
ciscoasa(config-aaa-server-group)# exit
ciscoasa(config)# aaa-server group1 (management) host timeout 15
ciscoasa(config-aaa-server-host)# key cisco
ciscoasa(config-aaa-server-host)# end
ciscoasa# wr
Building configuration...
Cryptochecksum: e4bbb77c 4eaaed40 50da38c5 f127760f

4260 bytes copied in 1.130 secs (4260 bytes/sec)
This is the result after the CLI commands. Configuring ASA with ASDM is much easier.
This is the result after the CLI commands. Configuring ASA with ASDM is much easier.

Test AAA server before applying

ciscoasa# test aaa-server authentication group1 host
Username: cyruslab
Password: *********
INFO: Attempting Authentication test to IP address <> (timeout: 17 seconds)
INFO: Authentication Successful

Apply the AAA group
I will test on the SSH authentication.

ciscoasa(config)# aaa authentication ssh console group1

ciscoasa(config)# wr
Building configuration...
Cryptochecksum: 419e8752 acf0a186 909b7a66 bba70548

4299 bytes copied in 1.130 secs (4299 bytes/sec)
The result after the command lines.
The result after the command lines.

Test the ssh

Authentication is successful.
Authentication is successful.

This test only tests the authentication. There are authorization and accounting which can be applied as well, however Cisco ACS 4.2 could not support the authorization of Cisco ASA software. An evaluation is available to download from the forum I checked, I downloaded the 90 days eval license however I could not locate the Cisco Secure Access Control Server 5.2 to be downloaded.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s