“TACACS+ is an Authentication, Authorization, and Accounting (AAA) protocol originally developed for the U.S. Department of Defense for authentication to network devices such as routers, switches, and firewalls. Unlike RADIUS, it separates the Authentication and Authorization functionalities, which makes it more flexible for administrative access. The current version of the protocol standard was developed by Cisco Systems.”

That gives you a good idea of what TACACS+ is used for. TACACS.net is freeware application which makes any Windows Server installation a TACACS+ server. I found that it made most sense to place the TACACS+ server on the Domain Controller since lookups can be done locally with the fastest speed but if your security model requires them to be separated, then you must stay in compliance and separate the roles by spinning up another Windows server.

Below is the configuration for using a TACACS.net Server with Cisco MDS Series Fabric Switches with Cisco Nexus 7000 Network Switches. Both the Nexus and MDS share the same NX-OS operating system at the core but require separation in the TACACS.net server. These have been tested and verified working! Enjoy!

Configuration files for TACACS.net

• tacplus.xml
• authentication.xml
• authorization.xml
• clients.xml

Download the configuration bundle, TACACS+ Configuration Bundle

Cisco Nexus 7K/5K & MDS 9124/9148 Configuration

ip domain-name northwind.lan
ip name-server 10.10.10.1 10.10.10.2
feature tacacs+
tacacs-server key mds_preshared_key
tacacs-server host tacacs-server-1.northwind.lan
tacacs-server host tacacs-server-2.northwind.lan
aaa group server tacacs+ san_admin
server tacacs-server-1.northwind.lan
server tacacs-server-2.northwind.lan
exit
aaa authentication login default group san_admin local
tacacs+ enable

NOTE: The Nexus 7000 and the MDS series switches both run NX-OS, the commands are the same for the MDS series as it is for the Nexus series Cisco product lines. If you have an MDS switch running SAN-OS, the following commands will not work.

Cisco IOS Configuration

ip domain-name northwind.lan
ip name-server 10.10.10.1
ip name-server 10.10.10.2
aaa new-model
aaa authentication login default group network_admins local
aaa authentication enable default group network_admins enable
aaa authorization config-commands
aaa authorization commands 0 default group network_admins none
aaa authorization commands 1 default group network_admins none
aaa authorization commands 15 default group network_admins none
aaa accounting exec default start-stop group network_admins
aaa accounting commands 15 default start-stop group network_admins
tacacs-server host tacacs-server-1.northwind.lan key ios_preshared_key
tacacs-server host tacacs-server-2.northwind.lan key ios_preshared_key