Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

tacacs

system tacacs—Configure the properties of a TACACS+ server that is used in conjunction with AAA to authorize and authenticate users who attempt to access Viptela devices.

vManage Feature Template

For all Viptela devices:

Configuration ► Templates ► AAA

Command Hierarchy

system
  tacacs  
    authentication password-authentication
    server ip-address      
      auth-port port-number      
      priority number
      secret-key password
      source-interface interface-name 
      ​vpn vpn-id    ​
    timeout seconds

Options

Address of TACACS+ Server
server ip-address
IP address of a TACACS+ server host in the local network. You can configure up to 8 TACACS+ servers.
Authentication Key
secret-key password
Key to use for authentication and encryption between the Viptela device and the TACACS+ server. You type the key as a text string from 1 to 32 characters long, and it is immediately encrypted, or you can type an AES 128-bit encrypted key. The key must match the encryption key used on the TACACS+ server.
Destination Port for Authentication Requests
auth-port port-number
UDP destination port to use for authentication requests to the TACACS server. If the server is not used for authentication, configure the port number to be 0. If you do not configure a port number, the default is TACACS+ authentication port is 49.
Interface To Use To Reach Server
source-interface interface-name
Interface on the local device to use to reach the TACACS+ server.
Password Authentication
authentication authentication-type
Set the type of authentication to use for the server password. The default authentication type is PAP. You can change it to ASCII.
Server Priority
priority number
Set the priority of a TACACS+ server, as a means of choosing or load balancing among multiple TACACS+ servers. A server with lower priority number is given priority over one with a higher number.
Range: 0 through 7
Default: 0
Time to Wait for Replies from Server
timeout seconds
Configure the interval, in seconds, that the Viptela device waits to receive a reply from the TACACS+ server before retransmitting a request.
Range: 1 through 1000
Default: 5 seconds
VPN where Server Is Located
vpn vpn-id
VPN in which the TACACS+ server is located or through which the server can be reached. If you configure multiple TACACS+ servers, they must all be in the same VPN.
Range: 0 through 65530
Default: VPN 0

Operational Commands

show running-config system tacacs

Example

Configure TACACS+:

vEdge(config)# system tacacs 
vEdge(config-tacacs)# server 1.2.3.4 secret-key $4$aCGzJg5k6M8zj4BgLEFXKw==
vEdge(config-server-1.2.3.4)# exit
vEdge(config-tacacs)# exit
vEdge(config-system)# aaa auth-order local tacacs
vEdge(config-aaa)# exit
vm5(config-system)# show configuration 
system
 aaa
  auth-order local tacacs
 !
 tacacs
  server 1.2.3.4
   secret-key $4$aCGzJg5k6M8zj4BgLEFXKw==
   vpn 1
  exit
 !
!

Release Information

Command introduced in Viptela Software Release 14.2.​
source-interface command added in Release 14.3.
In Release 15.3.8, add secret-key command and deprecate key command.
In Release 16.2.2, add authentication and priority commands.

Additional Information

See the Configuring User Access and Authentication article for your software release.
aaa
admin-auth-order
auth-fallback
auth-order
radius

  • Was this article helpful?