Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
151
Views
1
Helpful
6
Replies

TLS 1.3 for tacacs and http service

ammahend
VIP Alumni
VIP Alumni

‎11-26-2025 08:31 PM - edited ‎11-26-2025 08:33 PM

testing tls1.3 for http and tacacs services on 9300-48U with 17.15.3

http is fine but I don't see tls option under tacacs server config

switch(config-server-tacacs)#t?
timeout

any advice is appreciated, I have my root and signed certificate associated with trustpoint, but not able to map the trustpoint with tacacs service. 

for http, I have no issues

switch(config-server-tacacs)#do sh run | sec http
ip http tls-version TLSv1.3
ip http secure-trustpoint my-switch-trustpoint

-hope this helps-
Labels:
0 Helpful
6 Replies 6

pieterh
VIP
VIP

‎11-27-2025 04:53 AM

why look on the tacacs+ client / switch? -> set minimum version on the TACACS+ server to TLS1.3

ammahend
VIP Alumni
VIP Alumni
In response to pieterh

‎11-27-2025 08:06 AM - edited ‎11-27-2025 08:07 AM

 

server side is configured already, client side config below is what I am not able to configure 

https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/225097-configure-tacacs-over-tls-1-3-on-an.html#toc-hId-93095770

-hope this helps-
0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to ammahend

‎11-27-2025 08:16 AM

 

  - @ammahend          If the server offers TLS 1.3 only  , then the client can do nothing else

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

pieterh
VIP
VIP

‎11-27-2025 08:37 AM

the http tls-version command and certificate is for incoming requests to the web-interface of the device
this configures the web-management interface to use TLSV1.3
and has nothing to do with outgoing connection to the TACACS+ server.
-> you must do similar configuration on the TACACS+ server itself

0 Helpful

ammahend
VIP Alumni
VIP Alumni
In response to pieterh

‎11-27-2025 11:25 AM - edited ‎11-27-2025 12:10 PM

Please see my question and link I shared, I already said https is working fine. 

my question was about associating trustpoint with tacacs server but I don’t see any tls command under tacacs server config (like shown in the url I shared), suppose to be supported from 17.15.x 

-hope this helps-
0 Helpful

rschlayer
Level 4
Level 4
In response to ammahend

‎11-27-2025 12:04 PM - edited ‎11-27-2025 12:06 PM

@ammahend You should have these commands available, indeed from 17.15.X:

Step 1. Create TACACSS server and AAA groups, associate the client (router) trustpoint.

tacacs server svs_tacacs
 address ipv4 10.225.253.209
 single-connection
 tls port 6049
 tls idle-timeout 60
 tls connection-timeout 60
 tls trustpoint client svs_cat9k
 tls ip tacacs source-interface GigabitEthernet0/0
 tls ip vrf forwarding Mgmt-vrf
!
aaa group server tacacs+ svs_tls
 server name svs_tacacs
 ip vrf forwarding Mgmt-vrf
!
tacacs-server directed-request

Taken from here: https://www.cisco.com/c/en/us/support/docs/security-vpn/terminal-access-controller-access-control-system-tacacs-/225097-configure-tacacs-over-tls-1-3-on-an.html#toc-hId-1369066302

0 Helpful
Customers Also Viewed These Support Documents