New Style TACACS+ Configuration on Cisco IOS

If you’ve configured TACACS+ on a Cisco IOS device within the last few years you’ve probably ran into this message:

This cli will be deprecated soon. Use new server cli.

Apparently, Cisco’s idea of soon and mine are pretty far apart because this message has been popping up for several years now and they’ve yet to actually deprecate anything.

Rather than continuing to gamble I recommend to begin using the new configuration, which also comes with the added benefit of being able to specify IPv4 and IPv6 addresses for your TACACS+ servers.

Old TACACS+ IOS Configuration

In case you need a refresher, the old configuration command looked like this:

NPGswitch(config)#tacacs-server host 10.2.0.6
This cli will be deprecated soon. Use new server cli

Which resulted in a config like this:

aaa group server tacacs+ default
!
tacacs-server host 10.2.0.6
tacacs-server key mys3cr3t!

If you googled the cli warning message and landed here it’s because Cisco still hasn’t documented what you’re actually supposed to use now in an easy to find and understand way.

Fortunately, it’s super easy.

New TACACS+ IOS Configuration

Here is what you would use instead of the above configuration command:

NPGSwitch(config)#aaa group server tacacs+ default
NPGSwitch(config-sg-tacacs+)#server name TAC
NPGSwitch(config)#tacacs server TAC
NPGSwitch(config-server-tacacs)#address ipv4 10.2.0.6
NPGSwitch(config-server-tacacs)#key mys3cr3t!

Which results in a config like this:

aaa group server tacacs+ default
server name TAC
!
tacacs server TAC
address ipv4 10.2.0.6
key mys3cr3t!

Essentially, now you’re just naming the TACACS+ server and then setting the ip and secret under that name then calling the name in AAA.

Specifying Multiple TACACS+ Servers

If you wanted to configure multiple TACACS+ servers using the new syntax you would name multiple servers and configure the IP and Key under each as so:

aaa group server tacacs+ default
server name TAC1
server name TAC2
!
tacacs server TAC1
address ipv4 10.2.0.6
key mys3cr3t!
!
tacacs server TAC2
address ipv4 10.2.0.7
key mys3cr3t2!

Tips When Reconfiguring TACACS+ Lines

It’s worth noting, if you have an IOS switch or router that is already configured using the old TACACS+ syntax you’ll need to remove the following line before entering the new syntax:

tacacs-server host x.x.x.x

If you do not remove this line then the device will not save the IP address when you try to add it under the tacacs server line. It will appear to take the command but if you do a show run you’ll notice the IP is missing and you won’t be able to authenticate.

As a general best practice I recommend reconfiguring your TACACS lines while logged into the device with a local account or through the console so you don’t get authorization or authentication errors halfway through.

If you really want to be safe you can use the configuration archive and rollback feature of IOS to allow config changes to revert should you accidentally lock yourself out.

Related: Cisco Configuration Archive & Rollback: The Undo Button

Like I mentioned earlier, I think they changed this to allow specifying IPv4 or IPv6 addresses for your TACACS+ host. It also makes managing multiple TACACS+ servers within the config easier.

Even if you have no need to do this at least you’ll stop receiving the deprecated warning.

Recommended for You: Solarwinds Network Performance Monitor (NPM)

Do you know the health of your networking equipment? Know when something goes down before a user reports problems? Know where your bandwidth is going or where you’re losing your packets?

Automate data collection and alerting of your networking infrastructure with Solarwinds NPM so you know exactly what is going on in your network and can sleep easy.

Unlike other tools, NPM is ready to out of the box with most common makes and models of networking equipment. No messing around with custom templates, xml files, or code to extract important information.

Leave a Reply

Your email address will not be published. Required fields are marked *