Imagine your network is a building with a single key that opens every door. That's local authentication on Cisco devices—convenient but a security nightmare. AAA with TACACS+ gives you a central guard who checks IDs, logs every entry, and can revoke access instantly. For the CCNA 200-301 exam (objective 5.3), you must know how to configure AAA on Cisco IOS devices using TACACS+ for authentication, authorization, and accounting. This lab walks you through a real-world deployment that secures device administration.
Jump to a section
Think of your network as a high-end hotel. Without AAA, each room (router, switch) has its own lock with a physical key. If a guest (admin) loses a key or checks out, you must change every lock. That's local authentication—unmanageable at scale. Now consider a hotel with a central key card system. The front desk (TACACS+ server) issues a card encoded with the guest's room number, floor access, and checkout time. When the guest swipes the card at an elevator (router), the elevator sends the card's ID to the front desk. The desk checks: Is this card valid? What floors can this guest access? Should I log this entry? The elevator doesn't store any guest data—it just asks and obeys. If a guest overstays, the front desk deactivates the card; no need to change elevator locks. In networking, AAA with TACACS+ separates authentication (who you are), authorization (what you can do), and accounting (what you did). TACACS+ encrypts the entire packet, including the username and password, unlike RADIUS which only encrypts the password. This makes TACACS+ the preferred protocol for device administration (router/switch login) because it provides granular command-level authorization. The hotel analogy holds: the elevator (network device) trusts the front desk (TACACS+ server) to make access decisions, logs every floor change, and can restrict which buttons work for each guest.
AAA stands for Authentication, Authorization, and Accounting—a framework for controlling access to network resources. TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco-proprietary protocol that provides separate AAA services. Unlike RADIUS (IETF standard), TACACS+ uses TCP port 49, encrypts the entire payload, and separates each A in AAA, allowing different servers for authentication, authorization, and accounting. On the CCNA exam, you must configure a Cisco router or switch to use a TACACS+ server for administrative access (SSH or console). The exam tests your ability to define a TACACS+ server, create a method list, and apply it to login.
How TACACS+ Works Step by Step
The admin initiates an SSH session to the router. The router sees that login authentication is configured to use a TACACS+ method list.
The router sends a TACACS+ Authentication START packet to the server (IP configured under tacacs server). This packet includes the username.
The TACACS+ server responds with a GETUSER or GETPASSWORD packet (depending on configuration). The router prompts the user for the password.
The router sends a CONTINUE packet with the password. The server checks credentials and sends a PASS or FAIL response.
If authentication passes, the router may send an Authorization REQUEST packet to determine privilege level or command access. The server responds with PASS or FAIL, optionally including a privilege level.
After the session, the router sends Accounting START and STOP packets to log session details.
Key States, Timers, and Defaults
Default timeout: The router waits 5 seconds for a TACACS+ server response. Configurable with timeout under tacacs server.
Default port: TCP 49.
Key: A shared secret (case-sensitive) must match on both router and server. Configured with key under tacacs server.
Method list order: The router tries servers in the order listed. If the first server times out, it tries the next. If all servers fail, the router falls back to the next method in the list (e.g., local).
IOS CLI Verification Commands
show tacacsExample output:
TACACS+ Server: 10.1.1.100/49
Socket opens: 5
Socket closes: 5
Aborted opens: 0
Packets received: 10
Packets sent: 10
Packet timeouts: 0
Connection failures: 0
Authentication successes: 3
Authentication failures: 1
Authorization successes: 2
Authorization failures: 0
Accounting successes: 3
Accounting failures: 0debug tacacsUse with caution in production. Shows each TACACS+ packet exchanged.
show running-config | section aaaDisplays all AAA configuration.
How TACACS+ Interacts with Related Protocols
TACACS+ is used alongside SSH for secure device administration. It can also be used for dial-up (PPP) but that's legacy. On the exam, remember that TACACS+ is Cisco-proprietary and recommended for device admin; RADIUS is open standard and used for network access (e.g., 802.1X wireless). Both can coexist. TACACS+ supports command authorization (per-command permissions), which RADIUS does not.
Configure TACACS+ Server
Define the TACACS+ server with its IP address and shared key. The key must match the server's configuration. Use the `tacacs server` command in global configuration mode. ``` R1(config)# tacacs server TACACS-SERVER R1(config-server-tacacs)# address ipv4 10.1.1.100 R1(config-server-tacacs)# key Cisco123 R1(config-server-tacacs)# exit ``` The server is now known to the router. You can optionally set a timeout or port, but defaults (5 seconds, port 49) are fine for the lab.
Create Authentication Method List
Define a method list for login authentication that first tries TACACS+, then falls back to local. This ensures you can still access the device if the TACACS+ server is unreachable. ``` R1(config)# aaa new-model R1(config)# aaa authentication login TACACS-LOGIN group tacacs+ local ``` `aaa new-model` enables the AAA system. The method list `TACACS-LOGIN` specifies: first try all configured TACACS+ servers (group tacacs+), then local usernames stored on the router.
Apply Method List to Lines
Apply the method list to the console, VTY (SSH), and optionally AUX lines. For the exam, focus on VTY lines for remote access. ``` R1(config)# line vty 0 4 R1(config-line)# login authentication TACACS-LOGIN R1(config-line)# exit R1(config)# line console 0 R1(config-line)# login authentication TACACS-LOGIN R1(config-line)# exit ``` Now any SSH or console login will use the TACACS+ server first.
Configure Authorization (Optional)
Authorization controls what commands an authenticated user can execute. For the exam, you may need to configure exec authorization (shell access) or command authorization. Here we set exec authorization to use TACACS+ with local fallback. ``` R1(config)# aaa authorization exec TACACS-AUTHZ group tacacs+ local R1(config)# line vty 0 4 R1(config-line)# authorization exec TACACS-AUTHZ R1(config-line)# exit ``` If the TACACS+ server responds with a privilege level, the user gets that level. Otherwise, local privilege is used.
Configure Accounting (Optional)
Accounting logs user activity. For the exam, you may need to enable accounting for exec sessions (start/stop) and commands. ``` R1(config)# aaa accounting exec TACACS-ACCT start-stop group tacacs+ R1(config)# aaa accounting commands 15 TACACS-CMD start-stop group tacacs+ R1(config)# line vty 0 4 R1(config-line)# accounting exec TACACS-ACCT R1(config-line)# accounting commands 15 TACACS-CMD R1(config-line)# exit ``` `start-stop` sends a start record at session start and a stop record at session end. `commands 15` logs all commands at privilege level 15.
Verify Configuration
Test the configuration by SSHing to the router. Use `debug tacacs` to see the exchange. Then use `show tacacs` to verify statistics. ``` R1# debug tacacs R1# *Mar 1 00:05:23.123: TACACS+: Opening TCP connection to 10.1.1.100/49 *Mar 1 00:05:23.456: TACACS+: Received authentication response: PASS R1# undebug all R1# show tacacs ``` If authentication fails, check the key and server reachability with `ping 10.1.1.100`.
In a large enterprise with hundreds of routers and switches, managing local usernames on each device is impossible. AAA with TACACS+ centralizes administration. A common deployment uses a pair of Cisco ISE (Identity Services Engine) or ACS servers as TACACS+ servers. Network engineers configure all network devices to point to these servers with the same shared key. When a new network admin joins, the security team creates an account on ISE, assigns a privilege level (e.g., 15 for full access, 7 for read-only), and sets command authorization rules (e.g., allow 'show' commands, deny 'configure'). The admin can then SSH to any device and get consistent permissions. If the admin leaves, the account is disabled on ISE, instantly revoking access everywhere.
Another scenario: a managed service provider (MSP) uses TACACS+ to grant customers access to their own devices but restrict them from other customers' devices. The TACACS+ server uses the source IP or username to determine which devices the user can manage.
Performance considerations: TACACS+ servers must be highly available. Use two servers with different IPs; configure both on the router. The router will try the first; if it times out (default 5 seconds), it tries the second. This can cause login delays if the first server is slow. Adjust the timeout with timeout 2 under the server configuration to fail over faster.
Misconfiguration nightmare: If you configure aaa new-model and then apply a method list that only uses TACACS+ without a local fallback, and the TACACS+ server is unreachable, you will lock yourself out of the device. Always include local as a fallback. Also, ensure the shared key matches exactly—case-sensitive. A common mistake is a typo in the key, causing all authentications to fail.
The CCNA 200-301 exam tests objective 5.3: Configure and verify AAA with TACACS+. Expect scenario-based questions where you must choose the correct configuration commands or identify why a login fails. The exam focuses on authentication method lists, not deep authorization or accounting. Key points:
Command sequence: You must know that aaa new-model is required before any AAA commands. Then tacacs server defines the server, aaa authentication login creates the method list, and login authentication applies it to lines.
Common wrong answers: Candidates often forget aaa new-model or apply the method list globally instead of to lines. Another trap: using radius instead of tacacs+ in the method list. Also, mixing up group tacacs+ (which uses all configured TACACS+ servers) with a specific server name.
Specific values: The default timeout is 5 seconds, default port is TCP 49. The key is configured with key under the server. The method list order matters: group tacacs+ local tries TACACS+ first, then local. If the order is reversed, local is tried first, which defeats the purpose.
Calculation traps: None for AAA, but be aware of the order of operations: first authentication, then authorization, then accounting. The exam may ask which step fails if the server is down.
Decision rule: For scenario questions asking why a user cannot log in despite correct credentials, check: Is aaa new-model enabled? Is the method list applied to the correct line? Is the TACACS+ server reachable? Is the key correct? Is there a local fallback? Eliminate answers that suggest RADIUS or local authentication without TACACS+.
AAA stands for Authentication, Authorization, Accounting; TACACS+ is Cisco-proprietary, uses TCP 49, encrypts entire packet.
Always enable 'aaa new-model' before any AAA commands.
Define TACACS+ server with 'tacacs server SERVER-NAME', then 'address ipv4 x.x.x.x' and 'key SECRET'.
Create authentication method list: 'aaa authentication login LIST-NAME group tacacs+ local'.
Apply method list to lines: 'line vty 0 4' then 'login authentication LIST-NAME'.
Include local fallback to prevent lockout if TACACS+ server is unreachable.
Verify with 'show tacacs' and 'debug tacacs'.
These come up on the exam all the time. Here's how to tell them apart.
TACACS+
Cisco proprietary, TCP port 49
Encrypts entire packet (username, password, other fields)
Separates authentication, authorization, accounting (each can use different servers)
Supports command-level authorization
Used primarily for device administration (router/switch login)
RADIUS
IETF standard, UDP ports 1812/1813
Encrypts only password in Access-Request packet
Combines authentication and authorization in Access-Accept packet
Does not support command-level authorization (only network access)
Used primarily for network access (wireless, VPN, 802.1X)
Mistake
TACACS+ uses UDP port 1812.
Correct
TACACS+ uses TCP port 49. RADIUS uses UDP 1812/1813. TACACS+ uses TCP for reliability.
Candidates confuse TACACS+ with RADIUS because both are AAA protocols.
Mistake
AAA configuration is applied globally and affects all lines automatically.
Correct
AAA method lists must be explicitly applied to each line (console, VTY, AUX) using 'login authentication'.
Cisco IOS defaults do not automatically apply AAA; you must bind the method list to lines.
Mistake
The 'group tacacs+' keyword refers to a specific server named 'tacacs+'.
Correct
'group tacacs+' is a built-in group that includes all servers defined with 'tacacs server' commands.
The word 'group' misleads candidates into thinking it's a named group, but it's a reserved keyword.
Mistake
You can skip 'aaa new-model' if you only use TACACS+ for authentication.
Correct
'aaa new-model' is mandatory to enable the AAA system; without it, no AAA commands are available.
Some think AAA is optional for TACACS+, but it's the framework that makes TACACS+ work.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
TACACS+ is a Cisco-proprietary protocol that uses TCP port 49 and encrypts the entire packet. It separates authentication, authorization, and accounting, allowing different servers for each. It supports command-level authorization, making it ideal for device administration. RADIUS is an IETF standard that uses UDP ports 1812/1813 and only encrypts the password. It combines authentication and authorization in one packet and is used for network access (e.g., wireless, VPN). For the CCNA exam, remember that TACACS+ is for device admin, RADIUS for network access.
Yes. 'aaa new-model' enables the AAA security system on the Cisco IOS device. Without it, you cannot configure any AAA commands like 'aaa authentication login' or 'tacacs server'. If you omit it, the router will reject those commands. Always start with 'aaa new-model'.
You will be locked out of the device. The router will try the TACACS+ server, wait for the timeout (default 5 seconds), and if it fails, since there is no local method, authentication fails. To prevent this, always include 'local' as a fallback in your method list: 'aaa authentication login LIST group tacacs+ local'. If the server is unreachable, the router uses local usernames.
Use 'show tacacs' to see statistics (successes, failures, timeouts). Use 'debug tacacs' to see real-time packet exchanges. Also, attempt an SSH login and check the debug output. If authentication succeeds, you'll see 'PASS' in the debug. If it fails, check the key and server reachability.
Yes. Define multiple servers with 'tacacs server' commands. The router will try them in the order they were configured. If the first server times out, it tries the next. You can also use 'group tacacs+' to refer to all configured servers. The exam expects you to know that the order matters.
The default timeout is 5 seconds. You can change it with the 'timeout' command under the 'tacacs server' configuration. For example, 'timeout 2' sets a 2-second timeout. This is useful if you want faster failover to a backup server.
Yes. TACACS+ encrypts the entire body of the packet, including the username, password, and any other fields. Only the TACACS+ header is not encrypted. This is in contrast to RADIUS, which only encrypts the password. This makes TACACS+ more secure for device administration.
You've just covered Lab: Configure AAA with TACACS+ — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?