Installation & Setup of Free Tacacs+ server in Linux
(Tested via GNS3 & VirtualBox by
Software Used:
-use 3700 IOS as Router & DHCP
-use Ethernet switch to connect hosts
-use VirtualBox guest running on Ubuntu Linux server 12.04.2 LTS
1.Login as root and install dependencies such as tcp wrappers and compilation tools e.g. gcc, bison, flex, make
If you’re not sure if these packages are installed, you can use the command:
dpkg -s [packagename]
root@freelinux:~# dpkg -s gcc bison flex
Package `gcc’ is not installed and no info is available.
Package `bison’ is not installed and no info is available.
Package `flex’ is not installed and no info is available.
To install:
root@freelinux:~# apt-get install gcc make flex \
bison libwrap0-dev
2. Download the tacacs+ package on It’s good to read additional information or changes on
Latest version as of this writing is tacacs+-F4.0.4.26
root@freelinux:~# wget \
3. uncompress the tarball file
root@ubuntu:~# tar zxvf tacacs+-F4.0.4.26.tar.gz
4. Build
check the INSTALL file first to see the installation guide
root@ubuntu:~/tacacs+-F4.0.4.26# less INSTALL
root@ubuntu:~/tacacs+-F4.0.4.26# ./configure
If you missed installing those dependecies, you will receive messages something like this:
configure: error: Could not find libwrap. You must first install tcp_wrappers.
So to resolve this, install the necessary packages.
# apt-get install libwrap0-dev
Libraries have been installed in:
If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR’
flag during linking and do at least one of the following:
– add LIBDIR to the `LD_LIBRARY_PATH’ environment variable
during execution
– add LIBDIR to the `LD_RUN_PATH’ environment variable
during linking
– use the `-Wl,-rpath -Wl,LIBDIR’ linker flag
– have your system administrator add LIBDIR to `/etc/’
See any operating system documentation about shared libraries for
more information, such as the ld(1) and manual pages.
1. After extracting the files, default directory would be /usr/local/bin/
root@ubuntu:~/tacacs+-F4.0.4.26# ls /usr/local/bin/tac*
/usr/local/bin/tac_plus /usr/local/bin/tac_pwd
2. Read the manual page for the following:
$man tac_plus
$man tac_pwd
So basically,
tac_plus – tacacs plus daemon
tac_pwd – generate DES or MD5 encryption of a password
3. use tac_pwd to encrypt clear text passwords to make it more secure
We want to use “password” to login the username freelinux and “enablepass” to go privilege mode
root@freelinux:/etc/tacacs# /usr/local/bin/tac_pwd
Password to be encrypted: password
root@freelinux:/etc/tacacs# /usr/local/bin/tac_pwd
Password to be encrypted: enablepass
4. Setup config files
a.create tacacs directory under /etc
5. create the tac_plus.conf file
tac_plus.conf setup:
i. set the key
#tacacs key
key = "tackey"
ii. set the user accounts
#user details
user = freelinux {
default service = permit
member = admingroup
login = des VUjB99kC2IGws
iii. set the group details
#group details
# admin group
group = admingroup {
default service = permit
service = exec {
priv-lvl = 15
iv. set enable password
#Enable password setup for users:
user = $enable$ {
login = des HD.Hw0OHKmO/c
Note: This is how it looks like, get it here
v. set the location of the accounting file
accounting file = /var/log/tacacs/tac_plus.log
6. change permission
#chmod 600 /etc/tacacs/tac_plus.conf
Note: If along the way, if you encoutered such as below, then you need to create necessary links using ldconfig
tac_plus: error while loading shared libraries:
cannot open shared object file: No such file or directory
# vi /etc/
add /usr/local/lib under /etc/
7. Run the tacacs service
root@freelinux:/etc/tacacs# /etc/init.d/tac_plus start
Starting Tacacs+ server: tac_plus.
this tac_plus file,
# Provides: tac-plus
# Required-Start: $network
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: S 0 1 6
# Short-Description: Start tac-plus server.
# Description: Run the tac-plus server listening for
# AAA ( access, acounting and autorization request )
# from routers or RAS (remote access servers) via
# tacacs+ protocol
DESC="Tacacs+ server"
OTHER_OPTS="-d 256" # Default, if no /etc/default/tac-plus available
CONFIG_FILE="/etc/tacacs/tac_plus.conf" # Default, if no /etc/default/tac-plus available
test -f $DAEMON || exit 0
if [ -r /etc/default/tac_plus ] ; then
. /etc/default/tac_plus
case "$1" in
echo -n "Starting $DESC: "
start-stop-daemon --start --quiet --pidfile /var/run/$ --exec $DAEMON -- $DAEMON_OPTS
echo "$NAME."
echo -n "Stopping $DESC: "
start-stop-daemon --stop --quiet --pidfile /var/run/$ --exec $DAEMON
echo "$NAME."
echo "Usage: $N {start|stop}" >&2
exit 1
exit 0
8. check if process running
root@freelinux:/etc/tacacs# netstat -na | grep 49
tcp 0 0* LISTEN
Sample Cisco configuration
Configuring Cisco:
Cisco#conf t
Cisco#service password-encryption
Cisco#tacacs-server host
Cisco#tacacs-server directed-request
Cisco#tacacs-server key tackey
Cisco#aaa new-model
Cisco#aaa authentication login default group tacacs+ local
Cisco#aaa authentication enable default group tacacs+ enable
Cisco#aaa authorization commands 1 default group tacacs+ local
Cisco#aaa authorization commands 15 default group tacacs+ local
Cisco#aaa accounting commands 0 default start-stop group tacacs+
Cisco#aaa accounting commands 1 default start-stop group tacacs+
Cisco#aaa accounting commands 7 default start-stop group tacacs+
Cisco#aaa accounting commands 15 default start-stop group tacacs+
Cisco#aaa accounting network 15 start-stop group tacacs+
Cisco#aaa accounting connection 15 start-stop group tacacs+
I will not go deeper into client configuration as it differs on devices and softwares by different vendors. Anyway, what has shown here is just the basic tacacs config that is proven working. Go try explore further the advance tacacs configuration. Enjoy!