TACACS+

Terminal Access Controller Access-Control System Plus (TACACS+) is an authentication protocol that

  • allows a remote access server to forward a login password for a user to an authentication server to determine whether access is allowed to a given system, and
  • provide authorization and accounting services.

For more information, refer the sections that cover configuring TACACS+ on SONiC from https://github.com/sonic-net/sonic-utilities/blob/master/doc/Command-Reference.md#aaa--tacacs.

Show current TACACS+ Settings

This command shows the current global settings for TACACS+

admin@sonic:~$ show tacacs 
TACPLUS global auth_type pap (default)
TACPLUS global timeout 5 (default)
TACPLUS global passkey <EMPTY_STRING> (default)

Add TACACS+ Server

Use the config tacacs add command to add a new TACACS+ server on the router.

admin@sonic:~$ sudo config tacacs add -h
Usage: config tacacs add [OPTIONS] <ip_address>

  Specify a TACACS+ server

Options:
  -t, --timeout INTEGER           Transmission timeout interval, default 5
  -k, --key TEXT                  Shared secret
  -a, --auth_type [chap|pap|mschap|login]
                                  Authentication type, default pap
  -o, --port INTEGER RANGE        TCP port range is 1 to 65535, default 49
  -p, --pri INTEGER RANGE         Priority, default 1
  -m, --use-mgmt-vrf              Management vrf, default is no vrf
  -?, -h, --help                  Show this message and exit.

Delete TACACS+ server

Use the config tacacs delete command to delete the previously configured TACACS+ server.

Usage:

admin@sonic:~$ sudo config tacacs delete -h
Usage: config tacacs delete [OPTIONS] <ip_address>

  Delete a TACACS+ server

Options:
  -?, -h, --help  Show this message and exit.

Modify global TACACS+ settings

Use the config tacacs authtype command to modify the global authtype.

admin@sonic:~$ sudo config tacacs authtype -h
Usage: config tacacs authtype [OPTIONS] <type>

  Specify TACACS+ server global auth_type [chap | pap | mschap | login]

Options:
  -h, -?, --help  Show this message and exit.

Use the config tacacs passkey command to modify the global passkey.

admin@sonic:~$ sudo config tacacs passkey -h
Usage: config tacacs passkey [OPTIONS] <secret_string>

  Specify TACACS+ server global passkey <STRING>

Options:
  -h, -?, --help  Show this message and exit.

Use the config tacacs timeout command to modify the global timeout.

admin@sonic:~$ sudo config tacacs timeout -h
Usage: config tacacs timeout [OPTIONS] <time_second>

  Specify TACACS+ server global timeout <0 - 60>

Options:
  -h, -?, --help  Show this message and exit.

Use the config tacacs default command to reset the global value for authtype/passkey/timeout to the default value.

admin@sonic:~$ config tacacs default (authtype | passkey | timeout)