TACACS+ Configuration Example

The following command enables TACACS+ on the TACACS+ client for this device:

System(rw)->set tacacs enable

The following commands configure and verify two TACACS servers for this device to indexes 1 and 2. Index 1 has an IP address of 10.10.10.20 on port 49 with a secret mysecret1. Index 2 has an IP address of 10.10.10.30 on port 49 with a secret of mysecret2. The server timeout value will remain at the default of 10 seconds.

System(rw)->set tacacs server 1 10.10.10.20 49 mysecret1
System(rw)->set tacacs server 2 10.10.10.30 49 mysecret2
System(rw)->show tacacs server all
 TACACS+ Server  IP Address       Port   Timeout  Status
 --------------  ---------------  -----  -------  -------
 1               10.10.10.20      49     10       Active
 2               10.10.10.30      49     10       Active
System(rw)->

The following command enables and verifies session authorization for the exec service:

System(rw)->set tacacs session authorization service exec
System(rw)->show tacacs session authorization
 TACACS+ service:                      exec
 TACACS+ session authorization A-V pairs:
         access level attribute                         value
         read-only   'priv-lvl'                         '0'
         read-write  'priv-lvl'                         '1'
         super-user  'priv-lvl'                         '15'
System(rw)->

The following commands enable and verify session accounting, followed by commands that enable both accounting and authorization on a per command basis, for this device:

System(rw)->set tacacs session accounting enable
System(rw)->show tacacs session accounting
 TACACS+ session accounting state:     enabled
System(rw)->set tacacs command accounting enable
System(rw)->set tacacs command authorization enable
System(rw)->

The following command enables the TCP single connection feature for this device:

System(rw)->set tacacs singleconnect
System(rw)->