How to Configure TACACS+ Server for Windows

In my last post I showed you how to enable AAA on router. In this post we will configure TACACS+ server. We will work on free tacacs+ server for windows. First download the server from here

  1. Unzip the folder to C:\tacacs.
  2. Edit the “tac.cfg ” file.

    The first section is where we define the encryption key. This is the secret key which we have defined on the Cisco router and switch.

    # Encryption key is the same key you configure in your router

    # ENCRYPTION KEY:

    key = cisco123

    The second section is where we define the file name for accounting. It work if we have enable accounting on switches and routers.

    # You will want to log access to a file. Set that file here

    # Remember to rotate the log, it will grow over time.

    # write accounting to:

    accounting file = accounting.log

    The third section is the User section. Here we define the user names and to which group do they belong. In the sample file few users and groups have been created. User “Tom” is a member of  ”Itnetwork” group. And user “Backup-user” is a member of  ”Show” group.

    ###############Users#####################
    #########################################

    ### without “login = ” need to authenticate through radius or local:

    user = tom { member = itnetwork }
    user = dick { member = itnetwork }

    The forth section is the Group section. Here we define the group and where the password is kept for that group. In this example we are using a file called “passwords.db” that contains these passwords for the group “Itnetwork”.

    Also in this section we define the privilege level and the commands that can be executed by the member of this group.

    ################################
    ##########Groups#################
    ################################

    group = itnetwork {
    # IT-Network Engineers
    login = file passwords.db


    Once you have edited tac.cfg file and create the user and group. Save it

  3. Now we will create password for each user. For this we will use first “generate_passwd.exe” file to generate the encrypted password. Let’s say for user “Dick” we want to assigned the password “welcome123!”. From the command prompt run generate_passwd.exe. key in the password to be encrypted as show in the fig1.
    Copy the encrypted password.

    Now we will create password for each user. For this we will use first “generate_passwd.exe” file to generate the encrypted password. Let’s say for user “Dick” we want to assigned the password “welcome123!”. From the command prompt run generate_passwd.exe. key in the password to be encrypted as show in the fig1.

    Fig1

    Fig1

    Copy the encrypted password.

    Now edit the “password.db” file. For the user “Dick” paste the encrypted password between “:” & “::”, see below.

    dick: MqrgSjhD2.R5o:::::

  4. And the final step is to run the tacacs+ server. Run it from the command prompt
    tac_plus.exe -C tac.cfg
  5. To stop the tacacs + server kill it from the Task Manager.
  6. And finally do remember to read the readme.txt file.