TACACS+ authentication setup

To test the TACACS+ service before fully implementing it. Depending on the process and parameter settings you use to set up and test TACACS+ authentication in your network, you could accidentally lock all users, including yourself, out of access to a switch. While recovery is simple, it can pose an inconvenience that can be avoided. To prevent an unintentional lockout on the switch, use a procedure that configures and tests TACACS+ protection for one access type (for example, Telnet access), while keeping the other access type (console, in this case) open in case the Telnet access fails due to a configuration problem.


If a complete access lockout occurs on the switch as a result of a TACACS+ configuration, see "Troubleshooting TACACS+ Operation" in the Management and Configuration Guide for your switch.

  1. Familiarize yourself with the requirements for configuring your TACACS+ server application to respond to requests from the switch (see Access Security Guide for more information). To know if you have to configure an encryption key, see Encryption options in the switch.
  2. Determine the following:
    1. The IP addresses of the TACACS+ servers you want the switch to use for authentication. If you will use more than one server, determine which server is your first-choice for authentication services.
    2. The encryption key, if any, for allowing the switch to communicate with the server.
    3. The number of log-in attempts you allow before closing a log-in session. The default is 3.
    4. The period you want the switch to wait for a reply to an authentication request before trying another server.
    5. The user name/password pairs you want the TACACS+ server to use for controlling access to the switch.
    6. The privilege level you want for each user name/password pair administered by the TACACS+ server for controlling access to the switch.
    7. The user name/password pairs you want to use for local authentication (one pair each for operator and manager levels).
  3. Plan and enter the TACACS+ server configuration needed to support TACACS+ operation for Telnet access (login and enable) to the switch. This includes the user name/password sets for logging in at the operator (read-only) privilege level and the sets for logging in at the manager (read/write) privilege level.

    When a TACACS+ server authenticates an access request from a switch, it includes a privilege level code for the switch to use in determining which privilege level to grant to the terminal requesting access. The switch interprets a privilege level code of "15" as authorization for the manager (read/write) privilege level access. Privilege level codes of 14 and lower result in operator (read-only) access.

  4. If you are a first-time user of the TACACS+ service, it is recommended that you configure only the minimum feature set required by the TACACS+ application to provide service in your network environment. After a successful deployment of minimum feature set, configure for additional features.
  5. Ensure that the switch has the correct local user name and password for manager access. (If the switch cannot find any designated TACACS+ servers, the local manager and operator user name/password pairs are always used as the secondary access control method.)

    Ensure that the switch has a local manager password. Otherwise, if authentication through a TACACS+ server fails for any reason, unauthorized users can access through the console port, Telnet, SSH, or REST.

  6. Using a terminal device connected to the switch console port, configure the switch for TACACS+ authentication only for Telnet login access and Telnet enable access. At this stage, do not configure TACACS+ authentication for console access to the switch, as you may need to use the console for access if the configuration for the Telnet method needs debugging.
  7. Ensure that the switch is configured to operate on your network and can communicate with your first-choice TACACS+ server. At a minimum, this requires IP addressing and a successful ping test from the switch to the server.
  8. On a remote terminal device, use Telnet to attempt to access the switch. If the attempt fails, use the console access to check the TACACS+ configuration on the switch. If you make changes in the switch configuration, check Telnet access again. If Telnet access still fails, check the configuration in your TACACS+ server application for mis-configurations or missing data which could affect the server's interoperation with the switch.
  9. After your testing shows that Telnet access using the TACACS+ server is working properly, configure your TACACS+ server application for console access. Then test the console access. If access problems occur, check for and correct any problems in the switch configuration, and then test console access again. If problems persist, check your TACACS+ server application for mis-configurations or missing data which could affect the console access.
  10. When you are confident that TACACS+ access through both Telnet and the switch console operates properly, use the write memory command to save the switch running-config file to flash.