OBSERVE. ANALYZE. ACT.
Support Login

System Management ยท Version 26.2

TACACS+ Server

Display and configure the external TACACS+ authentication server, service attributes, and default local group mapping.

UI Path: System Settings > TACACS+ Server ID: config_system_auth_tacacs
Workflow
  1. Open System Settings and choose TACACS+ Server.
  2. Review the TACACS+ server address, port, shared key, service, group attribute, and default user group.
  3. Enter optional one-time test credentials when validating the server settings.
  4. Apply the workflow and verify the result with show system auth tacacs.

Overview

Use TACACS+ Server to configure an external TACACS+ authentication server for user sign-in. The TACACS+ settings define the server address, authentication port, shared key, requested service, group attribute, and local user group fallback.

The same settings are available from the CLI through:

config system auth tacacs
show system auth tacacs

Typical Uses

Use this topic when the appliance should authenticate users through TACACS+ and then map them into local authorization groups.

Typical examples:

Show TACACS+ settings: show system auth tacacs
Display from config:   config system auth tacacs
Enable TACACS+:
  config system auth tacacs enable true name corp_tacacs ip 10.0.0.40 port 49 key tacacs_secret service visibility_service gid_attr groupid default_group administrator
Disable TACACS+:
  config system auth tacacs enable false

Prerequisites

  • Confirm that you have administrator permission to change authentication settings.
  • Record the current settings with show system auth tacacs.
  • Confirm the TACACS+ server address, port, shared key, requested service, and group attribute name.
  • Create or verify the local default user group before assigning it.
  • Keep at least one local administrator account available in case the external server is unreachable.
  • Treat the TACACS+ shared key and test password as sensitive.
  • Use quotes for values that contain spaces.

Workflow

  1. Open System Settings.
  2. Choose TACACS+ Server.
  3. Review Enable TACACS+ Authorization, server connection settings, shared key, service, group attribute, and default group mapping.
  4. Enter optional one-time test credentials when needed.
  5. Apply the workflow.
  6. Verify the saved settings in the web view or with show system auth tacacs.

Expected Behavior

The workflow displays the current TACACS+ settings and applies the selected changes to the saved authentication configuration.

When Enable TACACS+ Authorization is disabled, the configuration is retained but the server is not used for authentication. When enabled, TACACS+ authentication depends on the configured server being reachable and accepting the shared key.

Username for Test and Password for Test User are one-time workflow inputs. They are cleared after the workflow completes and are not saved in the TACACS+ configuration.

In The Web UI

Review TACACS+ Settings

  1. Open System Settings.
  2. Choose TACACS+ Server.
  3. Review server name, IP address, port, shared key, service, group attribute, and default user group.
  4. Apply no changes if you only need to inspect the current settings.

Configure TACACS+ Authentication

  1. Set Enable TACACS+ Authorization.
  2. Enter Server Name.
  3. Enter Server IP Address.
  4. Set TACACS+ Auth. Service Port.
  5. Enter Key to TACACS+ Server.
  6. Set Service.
  7. Set Attr. Name for User Group ID.
  8. Select Default User Group.
  9. Enter optional one-time test credentials.
  10. Apply the workflow.

Check From The CLI

Use either command below to display the current TACACS+ settings:

config system auth tacacs
show system auth tacacs

The config form without additional fields is display-only. It does not modify the configuration.

CLI Help Reference

Display the TACACS+ fields:

config system auth tacacs ?

Expected fields:

<Enter>       - Display current settings
enable        - Enable to use TACACS+ server to authenticate user
name          - Server name
ip            - Server IP address
port          - TACACS+ authentication service port
key           - Key used to communicate to TACACS+ Service
service       - Requested Service
gid_attr      - Attribute name for User Group ID
default_group - Default user group name if Group ID is not found
test_username - Username for testing, one time usage only, not saved
test_password - Password for the test user

Change From The CLI

Enable TACACS+ with a shared key and default group:

config system auth tacacs enable true name corp_tacacs ip 10.0.0.40 port 49 key tacacs_secret service visibility_service gid_attr groupid default_group administrator

Change only the group attribute:

config system auth tacacs gid_attr groupid

Disable TACACS+ authentication while retaining the saved server settings:

config system auth tacacs enable false

Field Reference

CLI Field UI Field Type Or Values Notes
enable Enable TACACS+ Authorization Boolean Enables or disables TACACS+ authentication.
name Server Name String Operator-facing name for the TACACS+ server.
ip Server IP Address IP address or host string TACACS+ server address.
port TACACS+ Auth. Service Port Integer from 1 to 65536 Common TACACS+ authentication port is 49.
key Key to TACACS+ Server String Shared secret used with the TACACS+ server.
service Service String Requested TACACS+ service value.
gid_attr Attr. Name for User Group ID String TACACS+ attribute used to map users to groups.
default_group Default User Group Existing local user group Local authorization group used when group mapping is absent.
test_username Username for Test (Empty to skip) String One-time workflow input; not saved.
test_password Password for Test User Password string One-time workflow input; not saved.

Confirmation And Rollback

Applying the workflow saves the TACACS+ configuration. To roll back, reapply the previous values recorded from show system auth tacacs.

If TACACS+ authentication prevents expected sign-in, use a local administrator account and disable TACACS+ with:

config system auth tacacs enable false

Notes

  • TACACS+ authentication controls identity verification. Local user groups still control authorization.
  • protocol and test_group are backend or workflow-only fields and are intentionally hidden from CLI help.
  • Test credentials are one-time values and are cleared after the workflow.
  • Keep the shared key out of logs, support tickets, and shared terminal output.

Troubleshooting

TACACS+ Users Cannot Sign In

Verify enable, ip, port, key, and service. Confirm the appliance can reach the TACACS+ server and that the shared key matches the server configuration.

Users Sign In But Have The Wrong Access

Review gid_attr and Default User Group. Confirm the TACACS+ server returns the expected group attribute and that the target local user group has the intended workflow access.

The TACACS+ Command Is Not Listed

Use config system auth ? and look for tacacs. The command path is config system auth tacacs.

  • Use User Groups to configure authorization for TACACS+ users.
  • Use User Management to keep a local administrator account available.
  • Use Password and Login Rules for local password and login lockout policy.

Related Topics

System Settings Authentication User Groups Password Policy l01sh