Installing and configuring Tacacs server on Windows Server 2012 and CISCO router

Posted: July 24, 2015 in CISCO

Terminal Access Controller Access-Control System (TACACS, usually pronounced like tack-axe)  is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network.

TACACS+, administered through the AAA security services, provides following services:

Authentication—Prompts user for username and password in order to allow access to the router

Authorization—Provides fine-grained control what user can/can’t perorm during the session, including but not limited to setting autocommands, access control,etc.We can also restrict user to what commands he may execute with the TACACS+ authorization feature.

Accounting-Audit user activity.Accounting records include user identities, start and stop times, executed commands,number of packets, and number of bytes.

 I used free TACACS+ server

Topology used in this example:


I installed TACACS+ server on Windows server 2012 with IP address

During installation you are asked for secret,we will change it a little bit later


When installation is done,we must first remove read-only atributes from config files,otherwise,we won’t be able to edit it!

From powershell prompt type:

Set-ItemProperty "C:\ProgramData\\config\authentication.xml" -name isreadonly $false
Set-ItemProperty "C:\ProgramData\\config\clients.xml" -name isreadonly $false
Set-ItemProperty "C:\ProgramData\\config\authorization.xml" -name isreadonly $false
Set-ItemProperty "C:\ProgramData\\config\tacplus.xml" -name isreadonly $false



Integrating TACACS server with Active Directory


We will create AD user and allow him access to CISCO router


First,create security group in which our user will be stored:


new-adgroup -name "tacacs" -groupscope "Global" -Groupcategory "Security"

Create user named domain_user:


new-aduser -name "domain_user" -userpincipalname "" -samaccountname "domain_user" -accountpassword (convertto-secure string "Zemun2013" -asplaintxt -force) -changepasswordatlogon $false  -enabled $true

Add newly created user in Local Admin group,(this is very important!!!),and to tacacs AD group:


Add-ADGroupMember Administrators domain_user
Add-ADGroupMember tacacs domain_user


First,obtain data for user from AD (bolded will be used in authentication.xml):


PS C:\Users\Administrator> Get-ADUser -Identity "domain_user"  -Properties memberof | select *

DistinguishedName  : CN=domain_user,CN=Users,DC=bigfirm,DC=biz
Enabled            : True
GivenName          : domain_user
MemberOf           : {CN=tacacs,CN=Users,DC=bigfirm,DC=biz, CN=Administrators,CN=Builtin,DC=bigfirm,DC=biz}
Name               : domain_user
ObjectClass        : user
ObjectGUID         : 4ff83aff-0e83-4032-8c59-e82f2f5fc488
SamAccountName     : domain_user
SID                : S-1-5-21-2862681942-1448928181-3724733179-1105
Surname            :
UserPrincipalName  :
PropertyNames      : {DistinguishedName, Enabled, GivenName, MemberOf...}
AddedProperties    : {}
RemovedProperties  : {}
ModifiedProperties : {}
PropertyCount      : 11



Create encrypted password:

C:\Program Files (x86)\>tacdes.exe Zemun2013
Encrypted Zemun2013 is uTWkimSCBH1j8ZJB/5LPKA==


Now edit C:\ProgramData\\config\authentication.xml file:



<!--This is an example is of a Windows Active Directory group.
This group will authenticate using a Windows Domain Controller.
LDAPUserDirectorySubtree is the distinguished name of the subtree that contains all users.
The LDAPGroupName should point to the name of the AD group.
LDAPAccessUserName and LDAPAccessUserPassword are optional elements and should be specified if the active directory server
does not allow anonymous access to the active directory for authentication.
This username must have read/write access to Active Directory.

To see the user directory subtree name, you can execute the following dsquery command on windows server:
Note: The command DSQUERY is only available on Windows Server.
C:\>dsquery user -samid USERNAME

To see the list of AD groups the user belongs to, use:
C:\>dsquery user -samid USERNAME | dsget user -memberof -expand
You can use the complete DN of the group or just the AD name of the group in the LDAPGroupName configuration parameter.

<LDAPAccessUserPassword ClearText="" DES="uTWkimSCBH1j8ZJB/5LPKA=="></LDAPAccessUserPassword>

<LDAPServer></LDAPServer> is IP address of Domain controller on which Tacacs server is installed,port 389 (the best practice is to install Tacacs server on domain member server,but for demonstration purpose this will be just fine),so Tacacs can query
AD for specific user
<LDAPUserDirectorySubtree>CN=Users,DC=bigfirm,DC=biz</LDAPUserDirectorySubtree> distinguished name of the subtree that contains domain_user acount.
<LDAPGroupName>tacacs</LDAPGroupName> -AD group we’ve just created and put domain_user in
<LDAPAccessUserName>domain_user</LDAPAccessUserName> the name of the AD user which will have access to router

is encrypted password created by tacdes tool

If you wish to change shared secret set during install,edit C:\ProgramData\\config\clients.xml file:

The INTERNAL Group is added by default. This group will
enable all non-routeable IP addresses to be TACACS+
clients without having to explicitly define them.
This is useful in an internal NAT or lab network.-->
<ClientGroup Name="INTERNAL">
<Secret ClearText="sharedsecret" DES=""> </Secret>


In this section you can also define network range for clients which can “negotiate” with Tacacs server using defined secret


To configure port and IP address on which Tacacs server will listen on,we need to edit C:\ProgramData\\config\tacplus.xml file.

Here we can  set logging (name, location, logging level, and rollover settings for the logs.Available logging levels: Alert, Critical, Error, Warning, Notice, Information, and Debug. Debug generates the most information, and Alert generates the least amount of info.
RolloverDays specifies how many days to keep logs before starting a new log. RolloverMB specifies the maximum size the log file can get before rolling over, and DeleteDays specifies how many days to keep files before automatically deleting them. ).Syslog  is used if you need to log to an external Syslog server.


<!– Version 1.2 –><!– This is the global configuration file for the TACACS+ Server

<DisabledPrompt>This account has been disabled</DisabledPrompt>
<PasswordPrompt>Password: </PasswordPrompt>
<UserNamePrompt>Username: </UserNamePrompt>
<ExpiredPasswordPrompt>The password for this account has expired</ExpiredPasswordPrompt>
<IncorrectPasswordPrompt>Incorrect Password</IncorrectPasswordPrompt>
<IncorrectUserOrPasswordPrompt>Invalid username or incorrect password</IncorrectUserOrPasswordPrompt><SocketTimeoutSecs>30</SocketTimeoutSecs>
<AccountingLog RolloverDays=”30″ RolloverMB=”10″ DeleteDays=”90″ LoggingLevel=”Information”>  </AccountingLog>
<DebugLog RolloverDays=”30″ RolloverMB=”10″ DeleteDays=”90″ LoggingLevel=”Debug”>  </DebugLog>
<SystemLog RolloverDays=”30″ RolloverMB=”10″ DeleteDays=”90″ LoggingLevel=”Information”>  </SystemLog>
<!– <Syslog Host=”″ Port=”514″ MaxLength=”1000″ Facility=”Local6″> </Syslog> -><AccountLockoutTries>6</AccountLockoutTries>


It’s now time to check config files for typo or syntax errors using tacverify tools (C:\Program Files (x86)\ folder if you installed on X64 OS version):



Restart service:

net stop && net start
The service was stopped successfully.
The service is starting.
The service was started successfully.


Open port 49 in Windows firewall:

netsh advfirewall firewall add rule name="Open port 49" dir=in action=allow protocol=tcp localport=49

From Tacacs server,test access:


C:\Program Files (x86)\>tactest.exe -k sharedsecret -u domain_user -s -p Zemun2013

Total Commands  .....................  1
Successes  ..........................  1
Failures  ...........................  0
No Results  .........................  0
Time Taken for commands  ............  0.132 secs
Avg Possible Transactions/Second  ...  7
Network Time per command  ...........  0.076 secs
Total Network time  .................  0.076 secs
<87> 2015-07-24 00:29:12 Sent Transactions/Second  ...........  6.3


 Setting Authorization


To determine level of access we need to edit  C:\ProgramData\\config\authorization.xml file.

For users in AD group tacacs (domain_user), we’ll set privilege level 7 and allow him to run telnet,show and enable commands and deny others:

<?xml version=”1.0″ encoding=”utf-8″?>
<!– Version 1.2 –>
<Authorizations xmlns:xsi=”; xmlns:xsd=””&gt;
<!–This entry will only be processed in the times given below–>
<!–This authorization section applies to the following user groups. In case of conflicting authorization entries for the same group, the entry which appears first in the file is used.–>
<UserGroup>Network Engineering</UserGroup>
<!–This authorization section applies to the following client groups. In case of conflicting authorization entries for the same client group, the entry which appears first in the file is used.–>
<!–If no client groups are specified then the settings are applied to the specified usergroups irrespective of the clients they come from–>



<Permit>.*show.*</Permit> <!–This will allow all show commands –>

<!– <Service>
<Set>protocol=ip </Set> –>
<!–these groups can run IP over PPP only if they use one of the following mandatory addresses. If they supply no address, the first one here will be mandated–>
<!–<Set>addr=</Set>–> <!–mandatory argument–>
<!–Their  mandatory input access list number is 5–>
<!–We will suggest an output access list of 10 but the NAS may choose to ignore or override it–>
<!–These are examples of vendor specific attributes(VSAs)–>
<!– </Service> –>

<!–No client group provided so this authorization section applies to the above user groups from all the clients –>

<!–this group is allowed to telnet everywhere except from addresses beginning with 161.–>
<Set>priv-lvl=7</Set> <!–Set a privilege of 7 –>
  <Permit>telnet .*</Permit>  <!–Allows telnet –>
                                   <Permit>.*show.*</Permit> <!–Allows ‘show’ commands –>
                                   <Permit>enable</Permit>   <!–Allows ‘enable’ command –>
                                   <Deny>.*</Deny>                <!–All other commands are prohibited —>


<!– The DEFAULT Authorization Profile is added by default with the Server
installation and is used to enable ALL Users full access to ALL Clients.
This group should be removed or commented out before deploying the Server
in a production environment.

<Permit>.*show.*</Permit> <!–This will allow all show commands –>
<Deny>.*</Deny>           <!–This will deny all other commands –>



Restart again service



 Configuring CISCO Router


First create local user in case if Tacacs server is unavailable,enter in config mode (config t):

username admin privilege 15 secret cisco

Enable AAA (Authorization,Authentication,Accounting)

aaa new-model


Now configure router that,for authentication,first check Tacacs server for credentials,if Tacacs is unvailable then search local database (user admin).so we need to create AAA Method list.The method list defines the types of authentication to be performed and the sequence in which they will be performed (Tacacs server and local database in our example)


aaa authentication login default group tacacs+ local

For  (AAA) to determine if a user can access the privileged command level (enable command),we need to use the aaa authentication enable default command

aaa authentication enable default group tacacs+ enable

As in previous example,router will first contact Tacacs server,if it’s unavailable,then use local database:

aaa authorization exec default group tacacs+ local

Because in this example we will implement AAA in console level,we need to configure console to use AAA authorization

aaa authorization console

Allows user to start a CLI session (a command shell). Without it, command prompt isn’t available:

aaa authorization exec default group tacacs+ local


Runs authorization for all commands at the privilege level 1 and 15

aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

Configures accounting for EXEC shell session:

aaa accounting exec default start-stop group tacacs+

Set tatacas server and key.

tacacs-server host !Our tacacs server
tacacs-server key sharedsecret !(We set a key in clients.xml file)



Before testing enable debuging for authentication and authorization

debug aaa accounting
debug aaa authorization
debug tacacs+

Log off from router and try to log on as domain_user:


We can see that credentials for domain_users are accepted and that privilege level 7 was set:


You wan’t be able to execute commands not allowed in authorization.xml file:

R1#config t
% Invalid input detected at '^' marker.






  1. BMWfan says:


    nice Tutorial. What i should know is what i have to do to login on our Switch and ASA in enable mode (autoenable).

    Best Regards



  2. Wougy says:

    I made the same configuration like this tuto, but all think are working very find when I’m doing test with domain user.
    C:\Program Files (x86)\>tactest -s TacasServerIP -k Brigittetacas -u domainuser1 -p domainuser1pass
    Performing LoginASCII with reine,Kbrigitte@1,True
    Trying to open connection to TacasServerIP:49

    Received Body:
    Authentication AuthReply:
    Command Pass status = True, Message=,

    Total Commands ………………… 1
    Successes …………………….. 1
    Failures ……………………… 0
    No Results ……………………. 0
    Time Taken for commands ………… 2,312 secs
    Avg Possible Transactions/Second … 0
    Network Time per command ……….. 1,256 secs
    Total Network time …………….. 1,256 secs
    Sent Transactions/Second ……….. 0,4

    C:\Program Files (x86)\>

    But when I test on the router I have the error: “No authoritative response from any server”
    Router# test aaa group tacacs+ domainuser1 domainuser1pass legacy
    Attempting authentication test to server-group tacacs+ using tacacs+
    No authoritative response from any server

    The debug on the router give this details:
    *Feb 18 16:54:12.199: AAA/BIND(00000004): Bind i/f
    *Feb 18 16:54:12.199: AAA/ACCT/EVENT/(00000004): CALL START
    *Feb 18 16:54:12.199: Getting session id for NET(00000004) : db=673EB7E0
    *Feb 18 16:54:12.199: AAA/ACCT(00000000): add node, session 14
    *Feb 18 16:54:12.199: AAA/ACCT/NET(00000004): add, count 1
    *Feb 18 16:54:12.199: Getting session id for NONE(00000004) : db=673EB7E0
    *Feb 18 16:54:12.199: TPLUS: Queuing AAA Authentication request 4 for processing
    *Feb 18 16:54:12.199: TPLUS: processing authentication start request id 4
    *Feb 18 16:54:12.199: TPLUS: Authentication start packet created for 4()
    *Feb 18 16:54:12.199: TPLUS: Using server TacasServerIP
    *Feb 18 16:54:12.199: TPLUS(00000004)/0/NB_WAIT/671868BC: Started 5 sec timeout
    *Feb 18 16:54:12.347: TPLUS(00000004)/0/NB_WAIT: socket event 2
    *Feb 18 16:54:12.347: TPLUS(00000004)/0/NB_WAIT: wrote entire 37 bytes request
    *Feb 18 16:54:12.347: TPLUS(00000004)/0/READ: socket event 1
    *Feb 18 16:54:12.351: TPLUS(00000004)/0/READ: Would block while reading
    *Feb 18 16:54:17.199: TPLUS(00000004)/0/READ/671868BC: timed out
    *Feb 18 16:54:17.199: TPLUS: Authentication start packet created for 4()
    *Feb 18 16:54:17.199: TPLUS(00000004)/0/READ/671868BC: timed out, clean up
    *Feb 18 16:54:17.199: TPLUS(00000004)/0/671868BC: Processing the reply packet
    *Feb 18 16:54:25.779: TPLUS: Queuing AAA Authentication request 4 for processing
    *Feb 18 16:54:25.783: TPLUS: processing authentication start request id 4
    *Feb 18 16:54:25.787: TPLUS: Authentication start packet created for 4()
    *Feb 18 16:54:25.787: TPLUS: Using server TacasServerIP
    *Feb 18 16:54:25.795: TPLUS(00000004)/0/NB_WAIT/65CBCC04: Started 5 sec timeout
    *Feb 18 16:54:25.895: TPLUS(00000004)/0/NB_WAIT: socket event 2
    *Feb 18 16:54:25.899: TPLUS(00000004)/0/NB_WAIT: wrote entire 37 bytes request
    *Feb 18 16:54:25.899: TPLUS(00000004)/0/READ: socket event 1
    *Feb 18 16:54:25.903: TPLUS(00000004)/0/READ: Would block while reading
    *Feb 18 16:54:30.795: TPLUS(00000004)/0/READ/65CBCC04: timed out
    *Feb 18 16:54:30.795: TPLUS: Authentication start packet created for 4()
    *Feb 18 16:54:30.799: TPLUS(00000004)/0/READ/65CBCC04: timed out, clean up
    *Feb 18 16:54:30.799: TPLUS(00000004)/0/65CBCC04: Processing the reply packet

    Someone can help me please for troubleshooting this uses.


  3. Theofilos says:

    Great post. Thanks for sharing


  4. ip login says:

    Hello! Do you use Twitter? I’d like to follow you if that would
    be ok. I’m undoubtedly enjoying your blog and look forward
    to new updates.


  5. I like the valuable information you provide in your articles.
    I’ll bookmark your weblog and check again here regularly.
    I am quite certain I will learn many new stuff right here!
    Best of luck for the next!


  6. AcitoC says:

    I am having a problem with encrypting the password and getting the encrypted plaintext such as “Encrypted Zemun2013 is uTWkimSCBH1j8ZJB/5LPKA==”

    How can I do this? Thanks


    • mcscotty says:

      There’s a flaw in the sample code in the original article for using the tacdec program. The article lists the command to run as “tacdesmun2013” when you should run “tacdes.exe Zemun2013” instead. Try it, and you should get the appropriate DES response.

      Liked by 1 person

  7. nanpan says:

    hi , I am having problem in login with AD user credentials . I have checked the with local user created in the machine running working perpectly but domain user not allowed .I am getting error “users not belong to the specified group”. Please anyone help.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s