Summary: Step-by-step instructions for configuring TACACS+ authentication, authorisation, and accounting (AAA) on a Cisco IOS-XE switch, enabling centralised access control via a TACACS+ server such as Cisco ISE or TACACS+ daemon.
TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco-developed AAA protocol that separates authentication, authorisation, and accounting into distinct functions. It communicates over TCP port 49 and encrypts the entire payload, making it more secure than RADIUS for device administration use cases.
On IOS-XE switches, TACACS+ is the recommended protocol for centralised management access control — ensuring that every login to the device is validated against a central identity server, with full command authorisation and audit logging.
tac_plus) that validates credentials and enforces policy.local is typically added as a fallback.local keyword at the end of a method list ensures you can still log in if the TACACS+ server is unreachable, using locally defined accounts.Admin Workstation
│
│ SSH / Telnet
▼
┌─────────────────────┐ ┌──────────────────────┐
│ IOS-XE Switch │─TCP 49─▶│ TACACS+ Server │
│ │◀────────│ (e.g. Cisco ISE) │
│ AAA method list │ │ │
│ checks server │ │ - Validates creds │
│ group first, │ │ - Returns priv level│
│ then local fallback│ │ - Logs accounting │
└─────────────────────┘ └──────────────────────┘
When a user connects to the switch via SSH:
! Platform: IOS-XE
! AAA must be enabled before any AAA commands take effect.
! WARNING: enabling this on a live switch can lock you out if not done carefully.
aaa new-model
⚠️ Do This First in a Maintenance Window
Enablingaaa new-modelimmediately activates AAA on the device. If the TACACS+ server is unreachable and you have no local fallback user configured, you may lose access. Always create a local fallback user before enabling AAA.
! Platform: IOS-XE
! Create a local admin account as a fallback in case the TACACS+ server is down.
username localadmin privilege 15 secret <strong-password>
! Platform: IOS-XE
! Define each TACACS+ server with a name, IP address, and shared secret key.
! Repeat this block for each server (primary, secondary, etc.)
tacacs server TACACS-PRIMARY
address ipv4 192.168.1.100
key <shared-secret-key>
timeout 5
tacacs server TACACS-SECONDARY
address ipv4 192.168.1.101
key <shared-secret-key>
timeout 5
! Platform: IOS-XE
! Group the servers so they can be referenced together in method lists.
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-PRIMARY
server name TACACS-SECONDARY
! Platform: IOS-XE
! Apply TACACS+ authentication for login, with local as fallback.
aaa authentication login default group TACACS-SERVERS local
aaa authentication enable default group TACACS-SERVERS enable
! Platform: IOS-XE
! Authorise exec shell access and optionally command-level authorisation.
! Exec authorisation (assigns privilege level from TACACS+ server)
aaa authorization exec default group TACACS-SERVERS local if-authenticated
! Command authorisation (optional — checks every command against TACACS+ server)
aaa authorization commands 15 default group TACACS-SERVERS local if-authenticated
⚠️ Command Authorisation
Enablingaaa authorization commandsmeans every command is checked against the TACACS+ server in real time. If the server goes down mid-session, you may lose the ability to run commands. Test this thoroughly in a lab before deploying to production.
! Platform: IOS-XE
! Log exec sessions and commands to the TACACS+ server for auditing.
aaa accounting exec default start-stop group TACACS-SERVERS
aaa accounting commands 15 default start-stop group TACACS-SERVERS
! Platform: IOS-XE
! Ensure VTY lines use AAA login. Console line should retain local access.
line vty 0 15
login authentication default
transport input ssh
line con 0
login authentication default
! ============================================================
! TACACS+ Configuration — Cisco IOS-XE
! ============================================================
! Step 1: Enable AAA
aaa new-model
! Step 2: Local fallback user
username localadmin privilege 15 secret <strong-password>
! Step 3: Define TACACS+ servers
tacacs server TACACS-PRIMARY
address ipv4 192.168.1.100
key <shared-secret-key>
timeout 5
tacacs server TACACS-SECONDARY
address ipv4 192.168.1.101
key <shared-secret-key>
timeout 5
! Step 4: Server group
aaa group server tacacs+ TACACS-SERVERS
server name TACACS-PRIMARY
server name TACACS-SECONDARY
! Step 5: Authentication
aaa authentication login default group TACACS-SERVERS local
aaa authentication enable default group TACACS-SERVERS enable
! Step 6: Authorisation
aaa authorization exec default group TACACS-SERVERS local if-authenticated
aaa authorization commands 15 default group TACACS-SERVERS local if-authenticated
! Step 7: Accounting
aaa accounting exec default start-stop group TACACS-SERVERS
aaa accounting commands 15 default start-stop group TACACS-SERVERS
! Step 8: VTY and Console lines
line vty 0 15
login authentication default
transport input ssh
line con 0
login authentication default
| Symptom | Likely Cause | Fix |
|---|---|---|
| Login rejected despite correct credentials | Shared secret mismatch between switch and server | Verify key on both the switch (tacacs server) and the TACACS+ server config |
| TACACS+ server unreachable | Firewall blocking TCP 49, or wrong IP | Check connectivity with ping from switch; verify ACLs allow TCP 49 |
| Locked out after enabling AAA | No local fallback user defined | Use console access with local credentials; ensure local is in method list |
| User gets privilege level 1 instead of 15 | TACACS+ server not returning priv level | Check server profile — ensure priv-lvl = 15 is set for the user/group |
| Commands not authorised | Command authorisation enabled but server policy too restrictive | Review TACACS+ command sets; temporarily remove aaa authorization commands to test |
| No accounting records appearing | Accounting not configured or server rejecting records | Verify aaa accounting config; check TACACS+ server logs for errors |
! Test TACACS+ server reachability and authentication
test aaa group TACACS-SERVERS username <testuser> password <testpass> new-code
! Show AAA server statistics
show tacacs
! Show active AAA sessions
show aaa sessions
! Debug TACACS+ (use with caution in production)
debug tacacs
debug aaa authentication