Cisco TACACS+ Configs for ACS (Nexus, ASR_IOS-XE, IOS, ASA, Wireless)

Below are some examples pulled from a working configuration. Enjoy!

#NEXUS

tacacs-server key 7 {SHARED SECRET}
tacacs-server timeout 6
tacacs-server host 172.16.1.101
tacacs-server host 172.16.2.101

aaa group server tacacs+ TACACS
aaa authentication login default group TACACS local
aaa authorization config-commands default group TACACS local
aaa authorization commands default group TACACS local
aaa accounting default group TACACS local

ip tacacs source-interface vlan96
 aaa group server tacacs+ TACACS
 server 172.16.1.101
 server 172.16.2.101
 source-interface Vlan96

#ASR_IOS-XE

tacacs server ACS_TPA
 address ipv4 172.16.1.101
 key {SHARED SECRET}

tacacs server ACS_DR
 address ipv4 172.16.2.101
 key {SHARED SECRET}

aaa group server tacacs+ TAC_PLUS
 server name ACS_TPA
 server name ACS_DR
 ip vrf forwarding Mgmt-intf

aaa new-model
aaa authentication login default group TAC_PLUS local enable
aaa authentication enable default group TAC_PLUS enable
aaa authorization exec default group TAC_PLUS if-authenticated
aaa authorization commands 5 default group TAC_PLUS if-authenticated
aaa authorization commands 15 default group TAC_PLUS if-authenticated
aaa accounting exec default start-stop group TAC_PLUS
aaa accounting commands 5 default start-stop group TAC_PLUS
aaa accounting commands 15 default start-stop group TAC_PLUS
aaa session-id common

ip tacacs source-interface g0/0

#IOS (ROUTERS/SWITCHES)

aaa new-model
aaa authentication login default group tacacs+ local enable
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 5 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 5 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa session-id common

tacacs-server host 172.16.1.101
tacacs-server host 172.16.2.101
tacacs-server timeout 6
tacacs-server directed-request
tacacs-server key 7 {SHARED SECRET}

ip tac source vlan96

#ASA

aaa-server ACS protocol tacacs+
aaa-server ACS (inside) host 172.16.1.101 key {SHARED SECRET}
aaa-server ACS (inside) host 172.16.2.101 key {SHARED SECRET}
aaa authentication ssh console ACS LOCAL
aaa authentication enable console ACS LOCAL
aaa authentication http console ACS LOCAL
aaa authorization exec authentication-server

#WIRELESS

config tacacs acct add 1 172.16.1.101 49 ascii {SHARED SECRET}
config tacacs acct add 2 172.16.2.101 49 ascii {SHARED SECRET}
config tacacs auth add 1 172.16.1.101 49 ascii {SHARED SECRET}
config tacacs auth add 2 172.16.2.101 49 ascii {SHARED SECRET}
config tacacs athr add 1 172.16.1.101 49 ascii {SHARED SECRET}
config tacacs athr add 2 172.16.2.101 49 ascii {SHARED SECRET}
config aaa auth mgmt tacacs local
More Stories
TCP Throughput Calculations