Skip to content
Network as Code

TACACS Server

Configures TACACS+ (Terminal Access Controller Access-Control System Plus) server settings for centralized authentication, authorization, and accounting (AAA). Supports global and per-host settings including timeout, holddown time, DSCP marking, encryption keys, and single connection mode.

Diagram

Section titled “Diagram”
Diagram

Classes

Section titled “Classes”

configuration (iosxr.devices)

Section titled “configuration (iosxr.devices)”
NameTypeConstraintMandatoryDefault Value
tacacs_serverClass[tacacs_server]No

tacacs_server (iosxr.devices.configuration)

Section titled “tacacs_server (iosxr.devices.configuration)”
NameTypeConstraintMandatoryDefault Value
holddown_timeIntegermin: 0, max: 1200No
hostsList[hosts]No
ipv4_dscpStringNo
ipv6_dscpStringNo
key_type_6StringNo
key_type_7StringNo
timeoutIntegermin: 1, max: 1000No

hosts (iosxr.devices.configuration.tacacs_server)

Section titled “hosts (iosxr.devices.configuration.tacacs_server)”
NameTypeConstraintMandatoryDefault Value
addressStringYes
holddown_timeIntegermin: 0, max: 1200No
key_type_6StringNo
key_type_7StringNo
portIntegermin: 1, max: 65535No
single_connectionBooleantrue, falseNo
single_connection_idle_timeoutIntegermin: 500, max: 7200No
timeoutIntegermin: 1, max: 1000No

Sample Configuration:

Section titled “Sample Configuration:”
tacacs-server host 9.0.1.68 port 49
 key 7 0235347225301B204F4F0A0A
 timeout 10
 holddown-time 300
 single-connection
 idle-timeout 1000
!
tacacs-server key 7 0235347225301B204F4F0A0A
tacacs-server timeout 5
tacacs-server holddown-time 600
tacacs-server ipv4 dscp cs6
tacacs-server ipv6 dscp cs7

Example YAML Code:

Section titled “Example YAML Code:”

Example-1: Configure basic TACACS server with global settings.

iosxr:
  devices:
    - name: router-1
      host: 10.10.10.1:57400
      configuration:
        tacacs_server:
          key_type_7: "0235347225301B204F4F0A0A"
          timeout: 5
          holddown_time: 600
          ipv4_dscp: "cs6"

Example-2: Configure TACACS server with multiple hosts.

iosxr:
  devices:
    - name: router-1
      host: 10.10.10.1:57400
      configuration:
        tacacs_server:
          key_type_7: "0235347225301B204F4F0A0A"
          timeout: 5
          hosts:
            - address: "9.0.1.68"
              port: 49
              timeout: 10
            - address: "9.0.1.69"
              port: 49
              timeout: 15

Example-3: Configure TACACS server with single connection mode.

iosxr:
  devices:
    - name: router-1
      host: 10.10.10.1:57400
      configuration:
        tacacs_server:
          timeout: 5
          hosts:
            - address: "9.0.1.68"
              port: 49
              key_type_7: "0235347225301B204F4F0A0A"
              single_connection: true
              single_connection_idle_timeout: 1000