These are my notes is about configuring and testing a quick implementation of a free Tacacs+ software: The software runs on Windows.

Tacacs+ is used by network devices to authenticate users. Each user that logs on to a network device is checked against the Tacacs+ server database, before a decision is made. The decision can be something like:

  • the user is authenticated but will have limited access to the network device
  • the user is authenticated and will have full rights on the network device,
  • the user is not authorized to access the network device and is kicked off. Installation and configuration

Download the software from the official website:

Install the software. At some point, the system asks you to configure a shared secret. This key will be used for communications between Tacacs+ clients and the Tacacs+ server.

Configuring Tacacs+ authentication

The configuration files are in the following path (windows 7): C:\documents and settings\all users\application data\\config
To test the tacacs server, un-comment the Users section, under the UserGroup section.

you can use “tacacsverify” to verify if the modifications you did to the various files is valid or not.

configuring-free-tacacs-plus-server-windows-2016-04-20 19_51_17You can change the IP address of the server to something that can be put on a network, instead of You do that in the “tacplus.xml” file:

configuring-free-tacacs-plus-server-windows-2016-04-20 19_50_42

define the shared secret at installation time. This shared key will be used by Tacacs clients when authenticating against the server, and even when we want to test Tacacs+ locally. You can change it later in the “clients.xml” file:

configuring-free-tacacs-plus-server-windows-2016-04-20 20_16_08
There is a default user account you can use to test Tacacs+ working:
user name: user1
user password: somepassword

configuring-free-tacacs-plus-server-windows-2016-04-20 19_49_11

to test tacacs+, use the command “tactest” with its parameters. Take a look at the example below.

configuring-free-tacacs-plus-server-windows-2016-04-20 19_48_09

configuring-free-tacacs-plus-server-windows-2016-04-20 19_48_34

Configuring Tacacs+ authorization

Authorization defines which levels of access the client is allowed to get. Authorization is configured in the authorization.xml file. If you want to skip all the authorization stuff and just allow “full access” to your authenticated clients, simply change the name of “authentication.xml” file.
In my case, I went a little further and put the Deny section as a comment.

configuring-free-tacacs-plus-server-windows-2016-04-20 19_49_47

configuring-free-tacacs-plus-server-windows-2016-04-20 19_50_02

Did you know that you can configure TACACS+ on Linux too?

Categories: Networking Basics

Keyboard Banger

Keyboard Banger is a network engineer from Africa. He has been working in network support and administration since 2008. He started writing study notes about certification exams and technology topics a couple of years ago. When he's not writing articles, he can be found wandering on technical forums.

1 Comment

neil · 02/01/2019 at 17:55

am learning the authorization part in more detail.
however you say this: If you want to skip all the authorization stuff and just allow “full access” to your authenticated clients, simply change the name of “authentication.xml” file. – Surely authentication & authorization are different?

Leave a Reply

Your email address will not be published. Required fields are marked *