How to Configure TACACS+ Server in Cisco Packet Tracer

Securing access to network devices in real-world scenarios is of utmost importance to protect against vulnerabilities. This entails allowing only authenticated users to connect and configure these devices, either through Telnet or SSH or locally through console connections.
One method to enable access security on network devices like routers or Switch is by configuring security within the device’s local database, where usernames and passwords are authenticated internally.
Alternatively, a more robust solution involves leveraging an AAA server. AAA, which encompasses authentication, authorization, and accounting, can utilize Radius or TACACS+ authentication Method. These authentication method entails a dedicated server managing authorized user credentials for network device access. When a PC seeks access to a network device, such as a router or switch, it must provide a username and password, which are authenticated on the server through TACACS+ Authentication.
The process of securing network access can be broken down into three key components: authentication, authorization, and accounting. Authentication entails verifying the identity of the connecting user by requesting credentials. Authorization dictates the actions permissible for authenticated users on network devices. Accounting involves tracking and logging user activities for auditing and billing purposes.
In this blog post, I will show you how to configure a TACACS+ server using a sample network topology. If you are curious to learn Radius server configuration, We have a separate post on how to configure Radius Server in the packet tracer.

Network Topology

The network topology depicted in the image below comprises a router, a TACACS+ server, a switch, and two PCs. Our objective in this demonstration is to enable TACACS+ AAA services on the TACACS+ Server, configure access authentication between the router and the TACACS+ server, and create users for both PC1 and PC2 on the TACACS+ server. PC1 will utilize a console connection to access Router1, while PC2 will use Telnet.

network topology for TACACS+ SERVER COFNIGURATION

How to Configure TACACS+ Server in Cisco Packet Tracer

Here are the steps to configure TACACS+ Server in Cisco Packet Tracer using the network topology shown above.

Step 1: Enable TACACS+ AAA Services on the TACACS Server

Tap on the TACACS+ Server and then navigate to Services>AAA to enable AAA services. Then select TACACS+ as the authentication protocol. Then Set up the necessary parameters, such as the radius port and secret key.

Configuring TACACS+ Server

The IP address entered in the client IP section is the IP address of the router, whose access is being secured. The secret key acts as a passphrase, facilitating authentication between the router and the server. The Radius port is designated to specify the port number where TACACS authentication requests and responses are exchanged.

Step 2: Create Users on the TACACS Server

In the network topology, we have two users that are trying to gain access to the router: PC1 and PC2. PC1 will connect using a console connection, and PC2 will connect using Telnet. We need two users, one for PC1 and the other for PC2.

Configuring TACACS+ Server (1)

Step 3: Configure the interfaces of the router

Assign IP address to the interface of the router and labelled in the network topology;

R1(config)#interface gigabitEthernet0/1
R1(config-if)#ip address 192.168.12.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit

Step 4: Configure Local Authentication on the Router

R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#username admin privilege 15 password cisco
R1(config)#enable secret cisco

Here is a brief description of each of the above commands.

  1. aaa new-model: This command enables AAA services on the router.
  2. aaa authentication login default local: This command specifies that for login authentication, the router should use the local username database.
  3. username admin privilege 15 password cisco: This command creates a local username called “admin” with privilege level 15 (the highest privilege level, equivalent to “enable” mode) and assigns the password “cisco” to this username. This username/password pair will be used for authentication if the aaa authentication login default command is configured to use local authentication.
  4. enable secret cisco: This command sets the enable secret password to “cisco.” This password is used to protect privileged mode access (enable mode). When users try to enter enable mode, they will be prompted to enter this password.

Step 5: Enable TACACS-based authentication on the router

R1(config)#aaa authentication login TACACS+ group tacacs+
R1(config)#tacacs-server host 192.168.12.254 key 123456

Here is a brief description of he above commands;

  1. R1(config)#aaa authentication login TACACS+ group tacacs+:
    • It specifies that TACACS+ (Terminal Access Controller Access Control System Plus) is the authentication method to be used.
    • The keyword “group” indicates that a group of TACACS+ servers will be used for authentication.
    • The term “tacacs+” refers to a named server group defined in the configuration.
  2. R1(config)#tacacs-server host 192.168.12.254 key 123456:
    • This command is configuring the router (R1) to use a TACACS+ server for authentication.
    • It specifies the IP address of the TACACS+ server (192.168.12.254) to which authentication requests will be sent.
    • The “key” parameter specifies the shared secret key (123456) used for encrypting communication between the router and the TACACS+ server.

Step 6: Apply authentication settings to console & VTY lines

R1(config)#line console 0
R1(config-line)#login authentication default
R1(config-line)#exit

R1(config)#line vty 0 4
R1(config-line)#login authentication TACACS+
R1(config-line)#exit

Here is a brief explanation of each of the above commands;

  1. line console 0: This command enters configuration mode for the console line.
  2. login authentication default: This command specifies that authentication for the console line should use the default method configured earlier which is the local authentication.
  3. line vty 0 4: This command enters configuration mode for the VTY lines (telnet or SSH connections).
  4. login authentication TACACS+: This command specifies that authentication for the VTY lines should use the TACACS+ method configured earlier.

Step 3: Testing the Configuration

We can test the configuration by trying to access the router from both PC1 and PC2. We will use a console connection on PC1 and a telnet connection on PC2.

On PC1:

Console connects to R1. You will be asked for a password and username before you can access the router.

Console to R1

User Access Verification

Username: admin
Password: cisco
R1>enable
Password: cisco
R1#

User Access Verification

Username: user1
Password: cisco
% Login invalid

Username: user2
Password: cisco
% Login invalid

On  PC2

When you connect to the router, you will be asked for a password and username before you can access the router configuration terminal.

C:\>telnet 192.168.12.1
Trying 192.168.12.1 ...Open


User Access Verification

Username: admin
Password: cisco
% Login invalid

Username: user1
Password: cisco
R1>enable
Password: cisco
R1#

Username: user2
Password: cisco
R1>enable
Password: cisco

 

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top