USD ($)
$
United States Dollar
India Rupee

Command tacacs-server directed-request

Created by Deepak Sharma in Articles 17 Dec 2023
Share

I find people getting confused on understanding command “tacacs-server directed-request” on Cisco IOS routers. Let's first start with the brief introduction to TACACS.

What is TACACS?

TACACS (Terminal Access Controller Access-Control System) is a network authentication protocol that is used to provide centralized authentication, authorization, and accounting (AAA) services for network devices.

A TACACS server runs TACACS+ protocol which works on AAA model i.e. It is used to Authenticate, Authorize, Accounting for all the users who are trying to access network devices such as routers, switches, and firewalls. The TACACS server has a database in which user's information is stored, when any user tries to access a network device, it verifies the user's credentials (username and password) and grant or deny access to them based on the user's authorization level.

TACACS+ is an enhanced version of TACACS that provides more security features like encryption and improved authentication. TACACS+ is widely used in enterprise networks to provide centralized AAA services, enabling administrators to manage and monitor access to network devices from a single location.

Configure TACACS Servers IPs

Now let's have a look and understand how the command “tacacs-server directed-request” behaves. Suppose we have two tacacs servers configured on a router (there may be more in the configuration order list).

tacacs-server host 10.0.0.1

tacacs-server host 172.16.0.1

The router will use the IP address which is first appearing in the configuration. In this case it will use 10.0.0.1 and then router will create a session with tacacs server and user will be authenticated. If first tacacs IP is not reachable then router will use the next tacacs IP in the configuration order list for authentication.

The use case of the command “tacacs-server directed-request” is that it allows a user to specify a particular tacacs IP address for authentication instead of using the first tacacs IP address appeared in the configuration order list. It also applies for Authorization and Accounting as well along with Authentication.

Now suppose we also have “tacacs-server directed-request” command with two tacacs servers configured, one is used as company’s  tacacs Server and other is managed by its Service Provider.

Configure "tacacs-server directed-request" Command

tacacs-server directed-request

tacacs-server host 10.0.0.1

tacacs-server host 172.16.0.1

Login Using Service Provider TACACS

In this case Company users will be able to login as usual, but the service provider needs to contact the device as:

[Service_Provider_Machine]$ telnet router_ip

Username: xyz@172.16.0.1    //xyz is username for authentication with tacacs ip 172.16.0.1

Password:

Router>

I hope this would help you in understanding the command “tacacs-server directed-request” on Cisco Routers.


Deepak Sharma, CCIE#37340

Comments (0)

Share

Share this post with others