https://community.cisco.com/t5/network-security/tacacs-configuration-question/m-p/4418441#M1081557 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/282485">@david</a>&nbsp;</P> <P>Yes, it looks ok, check out <A href="https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId-1371716353" target="_self">this guide</A> and compare to cisco's recommended switch configuration for TACACS+.</P> <P>&nbsp;</P> <P>If you are connect to a vty session, apply the commands and the rules are not setup on the TACACS+ server you could lock yourself out. I normally apply the config to all but the vty line you are connected to, then connect another session which should prompt for tacacs+ credentials. If that fails you still have access on the original session.</P> Tue, 15 Jun 2021 13:14:04 GMT Rob Ingram 2021-06-15T13:14:04Z https://community.cisco.com/t5/network-security/tacacs-configuration-question/m-p/4418437#M1081555 <DIV class="_2FCtq-QzlfuN-SwVMUZMM3 _2v9pwVh0VUYrmhoMv1tHPm t3_o0cmoy"><DIV class="y8HYJ-y_lTUHkQIc1mdCq _2INHSNB8V5eaWp4P0rY_mE"><DIV class="_2SdHzo12ISmrC8H86TgSCp _29WrubtjAcKqzJSPdQqQ4h "><H1><FONT face="arial,helvetica,sans-serif" size="4"><SPAN>Is there anything wrong (or missing) with the sample TACACS config below? And does it matter what order the commands are entered? In config docs, I've seen so many variations of tacacs config that it's making my head spin so I'm trying to make sense of it and standardize. Thanks!</SPAN></FONT></H1></DIV></DIV></DIV><DIV class="_3xX726aBn29LDbsDtzr_6E _1Ap4F5maDtT1E1YuCiaO0r D3IL3FD0RFy_mkKLPwL4"><DIV class="_292iotee39Lmt0MkQZ2hPV RichTextJSON-root"><P class="_1qeIAgB0cPwnLhDF9XSiJM">aaa new-model</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">aaa session-id common</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">aaa group server tacacs+ tacacs_123</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">server name ise-tacacs_01</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">server name ise-tacacs_02</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">!</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">tacacs server ise-tacacs_01</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">address ipv4<SPAN>&nbsp;</SPAN><A href="https://10.1.1.101/" target="_blank" rel="noopener nofollow ugc">10.1.1.101</A></P><P class="_1qeIAgB0cPwnLhDF9XSiJM">key &lt;tacacs key&gt;</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">timeout 5</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">!</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">tacacs server ise-tacacs_02</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">address ipv4<SPAN>&nbsp;</SPAN><A href="https://10.1.1.102/" target="_blank" rel="noopener nofollow ugc">10.1.1.102</A></P><P class="_1qeIAgB0cPwnLhDF9XSiJM">key &lt;tacacs key&gt;</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">timeout 5</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">!</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">tacacs-server timeout 5</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">tacacs-server directed-request</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">ip tacacs source-interface Loopback0</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">!</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">aaa authentication login vty group tacacs_123 local</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">aaa authentication login conaux local</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">aaa authentication enable default group tacacs_123 enable</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">aaa authorization config-commands</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">aaa authorization commands 1 default group tacacs_123 local</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">aaa authorization commands 1 conaux local</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">aaa authorization commands 15 default group tacacs_123 local</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">aaa authorization commands 15 conaux local</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">aaa accounting commands 15 default start-stop group tacacs_123</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">aaa accounting connection default start-stop group tacacs_123</P></DIV></DIV> Tue, 15 Jun 2021 12:50:13 GMT https://community.cisco.com/t5/network-security/tacacs-configuration-question/m-p/4418437#M1081555 david 2021-06-15T12:50:13Z https://community.cisco.com/t5/network-security/tacacs-configuration-question/m-p/4418441#M1081557 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/282485">@david</a>&nbsp;</P> <P>Yes, it looks ok, check out <A href="https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId-1371716353" target="_self">this guide</A> and compare to cisco's recommended switch configuration for TACACS+.</P> <P>&nbsp;</P> <P>If you are connect to a vty session, apply the commands and the rules are not setup on the TACACS+ server you could lock yourself out. I normally apply the config to all but the vty line you are connected to, then connect another session which should prompt for tacacs+ credentials. If that fails you still have access on the original session.</P> Tue, 15 Jun 2021 13:14:04 GMT https://community.cisco.com/t5/network-security/tacacs-configuration-question/m-p/4418441#M1081557 Rob Ingram 2021-06-15T13:14:04Z https://community.cisco.com/t5/network-security/tacacs-configuration-question/m-p/4419085#M1081579 <P>hi,</P><P>that's the traditional/legacy way of configuring TACACS.</P><P>are you asking AAA for a router, switch or ASA?</P><P>the new AAA config structure changed in a router/switch starting IOS-XE 16.12.2 wherein TACACS server, key, source interface and VRF are all configured under AAA group server.</P><P>&nbsp;</P> Wed, 16 Jun 2021 14:24:53 GMT https://community.cisco.com/t5/network-security/tacacs-configuration-question/m-p/4419085#M1081579 johnlloyd_13 2021-06-16T14:24:53Z