Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
138
Views
3
Helpful
3
Replies

The purpose of TACACS source interface

Go to solution
goosamsf
Community Member

‎11-23-2025 07:34 PM

Hi,

I wonder how exactly the soucrce-interface play the role in processing tacacs authentication in Cisco Networking device.

For example , I curently use 9300 and I put the tacacs source interface that is currently being shutdown by admin, Yet user can authenticate through tacacs.

would you be able to explain how this works? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Royalty
Spotlight
Spotlight

‎11-23-2025 08:07 PM - edited ‎11-23-2025 08:12 PM

Hi @goosamsf,

You can apply the 'ip tacacs source-interface' command inside the AAA server-group configuration or globally, for example:

Server-group:

aaa group server tacacs+ tacacs-server-group
    server-private 10.255.255.255 
    ip tacacs source-interface Loopback80

Global:

configure terminal
ip tacacs source-interface Loopback80

 

If specified within the server-group, it will take precedence over the global command FOR that particular server-group (you may have multiple server-groups configured).

If the interface specified within the 'ip tacacs source-interface' is down or does not have an IP address assigned, the device will use the outgoing interface chosen by the routing table for the destination. For example, if the TACACS server's IP address is 10.255.255.255 and the outgoing interface (associated with the next-hop) to reach 10.255.255.255 is via GigabitEthernet0/0/0, it will use the IP address assigned to GigabitEthernet0/0/0.

So, there are cases where not specifying the source interface will work, because the default interface that is chosen may have an IP address that is reachable and authorised by the TACACS server.

View solution in original post

3 Replies 3

Go to solution
Royalty
Spotlight
Spotlight

‎11-23-2025 08:07 PM - edited ‎11-23-2025 08:12 PM

Hi @goosamsf,

You can apply the 'ip tacacs source-interface' command inside the AAA server-group configuration or globally, for example:

Server-group:

aaa group server tacacs+ tacacs-server-group
    server-private 10.255.255.255 
    ip tacacs source-interface Loopback80

Global:

configure terminal
ip tacacs source-interface Loopback80

 

If specified within the server-group, it will take precedence over the global command FOR that particular server-group (you may have multiple server-groups configured).

If the interface specified within the 'ip tacacs source-interface' is down or does not have an IP address assigned, the device will use the outgoing interface chosen by the routing table for the destination. For example, if the TACACS server's IP address is 10.255.255.255 and the outgoing interface (associated with the next-hop) to reach 10.255.255.255 is via GigabitEthernet0/0/0, it will use the IP address assigned to GigabitEthernet0/0/0.

So, there are cases where not specifying the source interface will work, because the default interface that is chosen may have an IP address that is reachable and authorised by the TACACS server.

Go to solution
goosamsf
Community Member
In response to Royalty

‎11-23-2025 08:20 PM - edited ‎11-23-2025 08:23 PM

@Royalty  Thanks, 

Very clear, and really helped me understand this.

 

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Royalty

‎11-24-2025 12:41 AM

I would add to the excellent explanation provided by @Royalty that you may need to take into account the vrf keyword if you use a source interface that is not in the default vrf. For instance, many switches have an "out of band" management interface in the Mgmt-vrf.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card