Courseiva
AAATACACS Config

key [shared-secret]

Configures the shared secret key used for TACACS+ authentication between the Cisco device and the TACACS+ server.

Syntax·TACACS Config
key [shared-secret]

When to Use This Command

  • Setting up TACACS+ authentication for administrative access to network devices.
  • Configuring a shared secret for a new TACACS+ server added to the network.
  • Updating the shared secret when rotating keys for security compliance.
  • Troubleshooting TACACS+ authentication failures due to key mismatch.

Command Examples

Configure TACACS+ shared secret key

key Cisco123

No output is displayed upon successful configuration. The command sets the shared secret to 'Cisco123' for the TACACS+ server.

Verify TACACS+ key configuration

show running-config | include tacacs server
tacacs server TACACS_SERVER
 address ipv4 192.168.1.100
 key Cisco123

The output shows the TACACS+ server configuration with the key 'Cisco123' under the server definition. The key is displayed in plaintext if encryption is not enabled.

Understanding the Output

The 'key' command itself produces no output. To verify the configured key, use 'show running-config | section tacacs' or 'show tacacs'. The key appears in plaintext unless 'service password-encryption' is enabled, in which case it shows as encrypted (e.g., 'key 7 0822455D0A16'). Ensure the key matches exactly on both the device and the TACACS+ server; mismatched keys cause authentication failures. A missing key or incorrect key will result in 'Authentication failed' messages in logs.

CCNA Exam Tips

1.

CCNA exam tip: The 'key' command is configured under 'tacacs server' configuration mode, not global config.

2.

CCNA exam tip: The shared secret must match exactly on both the router and the TACACS+ server; case-sensitive.

3.

CCNA exam tip: Use 'show tacacs' to verify the server status and key encryption.

4.

CCNA exam tip: Remember that 'service password-encryption' encrypts the key in the running config but does not affect authentication.

Common Mistakes

Mistake 1: Configuring the key under global config mode instead of TACACS server config mode — results in 'Invalid input detected' error.

Mistake 2: Typing the key with leading/trailing spaces — causes authentication failure due to mismatch.

Mistake 3: Forgetting to apply 'service password-encryption' — the key is stored in plaintext in the config.

Related Commands

aaa new-model

Enables AAA (Authentication, Authorization, and Accounting) security services on a Cisco device, required before configuring any AAA commands.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions