tacacs server [name]
Defines a TACACS+ server with a name and enters TACACS server configuration mode to set parameters like key, timeout, and port for AAA authentication.
tacacs server [name]When to Use This Command
- Configuring a primary TACACS+ server for network device authentication in a corporate network.
- Adding a backup TACACS+ server for redundancy when the primary server is unreachable.
- Setting up TACACS+ for centralized authentication, authorization, and accounting (AAA) on Cisco routers and switches.
- Configuring multiple TACACS+ servers with different keys for different administrative domains.
Command Examples
Basic TACACS+ Server Configuration
tacacs server TACACS-SERVER-1
address ipv4 192.168.1.100
key cisco123
timeout 10
single-connection
exitRouter(config)# tacacs server TACACS-SERVER-1 Router(config-server-tacacs)# address ipv4 192.168.1.100 Router(config-server-tacacs)# key cisco123 Router(config-server-tacacs)# timeout 10 Router(config-server-tacacs)# single-connection Router(config-server-tacacs)# exit Router(config)#
The command enters TACACS server configuration mode for server named 'TACACS-SERVER-1'. 'address ipv4' sets the server IP to 192.168.1.100. 'key' sets the shared secret to 'cisco123'. 'timeout' sets the wait time to 10 seconds before considering the server unreachable. 'single-connection' enables persistent TCP connection for performance. 'exit' returns to global config.
Configuring a Backup TACACS+ Server
tacacs server TACACS-BACKUP
address ipv4 10.0.0.1
key backupkey456
port 49
timeout 5
exitRouter(config)# tacacs server TACACS-BACKUP Router(config-server-tacacs)# address ipv4 10.0.0.1 Router(config-server-tacacs)# key backupkey456 Router(config-server-tacacs)# port 49 Router(config-server-tacacs)# timeout 5 Router(config-server-tacacs)# exit Router(config)#
Defines a backup TACACS+ server at 10.0.0.1 with key 'backupkey456'. 'port 49' explicitly sets the TACACS+ port (default is 49). 'timeout 5' sets a shorter timeout for faster failover. This server will be used if the primary is unreachable.
Understanding the Output
The 'tacacs server [name]' command does not produce a direct output; it enters a configuration submode. The output shown is the CLI prompt changes indicating you are in TACACS server configuration mode. The key fields to verify are the server IP address (must be reachable), the shared secret key (must match the server), timeout (should be adequate for network latency), and the port (default 49, change only if server uses non-standard port). Use 'show tacacs' to verify the server status and statistics.
CCNA Exam Tips
CCNA exam tip: Remember that 'tacacs server' is used for TACACS+ (not RADIUS). TACACS+ uses TCP port 49 by default and encrypts the entire packet.
CCNA exam tip: The 'single-connection' command is optional but improves performance by reusing a single TCP connection; know that it is a TACACS+ specific feature.
CCNA exam tip: You must configure a TACACS+ server group (e.g., 'aaa group server tacacs+') and apply it under 'aaa authentication login' to use the defined servers.
CCNA exam tip: The key must be identical on both the Cisco device and the TACACS+ server; a mismatch causes authentication failures.
Common Mistakes
Mistake 1: Forgetting to configure the key on both the device and the TACACS+ server, causing authentication to fail.
Mistake 2: Using the wrong IP address or port; verify connectivity with 'test aaa' or 'debug tacacs'.
Mistake 3: Not creating a server group and applying it to AAA authentication; the server definition alone does not enable TACACS+ authentication.
Related Commands
aaa authentication login default group radius local
Configures AAA authentication for login using a RADIUS server group as the primary method, falling back to local authentication if the RADIUS server is unreachable.
aaa new-model
Enables AAA (Authentication, Authorization, and Accounting) security services on a Cisco device, required before configuring any AAA commands.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions