Overview
TACACS+ and RADIUS are both AAA protocols, but they solve different problems. TACACS+ (TCP port 49) is designed for device administration — controlling who can log into routers, switches, and firewalls, what commands they can run, and recording a complete audit trail of every action. RADIUS (UDP 1812/1813) is designed for endpoint authentication — 802.1X wired/wireless access, VPN user login, and network access control.
Without centralized AAA, every network device maintains local user accounts. A team of ten engineers means ten sets of credentials on hundreds of devices. Password rotation becomes a manual crawl through every CLI session, terminated employees retain access until someone remembers to remove them, and there is no centralized audit trail to satisfy a compliance audit. A single Cisco ISE deployment eliminates all of that.
Cisco ISE supports both protocols simultaneously: TACACS+ for device administration and RADIUS for endpoint/user network access. The device admin license (separate from the base NAC license) is required to enable TACACS+ on ISE.
| Feature | TACACS+ | RADIUS |
|---|---|---|
| Transport | TCP port 49 | UDP 1812 (auth) / 1813 (acct) |
| Packet Encryption | Full packet body encrypted | Password field only |
| AAA Separation | Authentication, Authorization, Accounting fully separate | Authentication and Authorization combined |
| Command Authorization | Yes — per-command granular control | No native support |
| Primary Use Case | Network device administration (SSH/Telnet login) | Endpoint / user network access, VPN |
| Origin | Cisco proprietary (extended from original TACACS) | IETF RFC 2865 / RFC 2866 |
| Attribute Flexibility | Vendor-specific shell attributes | Extensive VSA ecosystem across vendors |
| Failover Behavior | TCP — fast failure detection on connection drop | UDP — relies on retransmit timers |
AAA Framework
AAA is a three-component security model. Each component is independent in TACACS+, which is one of its key architectural advantages over RADIUS for device administration.
Authentication — Who are you? The first gate. A user presents a username and password (or OTP token for MFA) when opening an SSH session to a router. ISE validates the credential against Active Directory, an internal identity store, or a token server. Authentication either succeeds — proceed to authorization — or fails, terminating the session and logging the event.
Authorization — What can you do? After successful authentication, ISE returns a shell profile defining the user's privilege level (1–15 on Cisco IOS). A helpdesk engineer might receive privilege 5 — enough to run show commands and verify connectivity. A network administrator receives privilege 15 — full configuration access. Command authorization takes this further: every command the user types is sent to ISE for per-command permit/deny evaluation before IOS executes it. This is the feature that RADIUS simply cannot replicate.
Accounting — What did you do?
Every exec session start/stop and every authorized command is logged to ISE with timestamp, username, source IP of the device, and the exact command string. This is the audit trail that satisfies PCI-DSS Requirement 10, SOX IT controls, and internal change management reviews. Without accounting, there is no record of who ran no ip route 0.0.0.0 at 2 AM on the core router.
Diagram 1 — TACACS+ AAA Request Flow
Cisco ISE TACACS+ Deployment Architecture
ISE is a distributed system with distinct node personas. Understanding the roles is critical for sizing and HA planning.
PAN — Policy Administration Node The management plane. All configuration changes, policy edits, and GUI access happen here. Only one active PAN exists at a time; a secondary PAN can be promoted if the primary fails. Configuration changes replicate from PAN to all PSNs automatically.
MNT — Monitoring and Troubleshooting Node Collects all RADIUS and TACACS+ accounting records. Hosts the Live Logs and reporting dashboards. Can be co-located with PAN on small deployments but should be separated in enterprise environments where log volume is high.
PSN — Policy Service Node The data plane. PSNs process actual authentication and authorization requests at line rate. Multiple PSNs provide load distribution and geographic redundancy. Network devices always point to PSN IPs — never the PAN directly. PSNs are stateless; any PSN can handle any request.
For small deployments (under ~1,000 devices), all three personas run on a single physical or virtual appliance. Enterprise deployments separate the personas across dedicated hardware and deploy multiple PSNs per region for redundancy and latency reduction.
The Device Administration license must be activated separately from the base NAC license. Without it, ISE silently ignores all inbound TACACS+ connections — a common deployment gotcha.
Diagram 2 — ISE HA Deployment with Network Device Redundancy
Cisco IOS / IOS-XE AAA Configuration
The following sequence must be applied in order. The most important rule: create the local fallback account before enabling aaa new-model. The moment aaa new-model is entered, IOS no longer uses the login local line configuration — if no AAA authentication method is defined and ISE is unreachable, you are locked out.
! ═══════════════════════════════════════════════════════════════════════
! Step 0 — Create local fallback BEFORE enabling AAA (critical order!)
! ═══════════════════════════════════════════════════════════════════════
Router(config)# username netadmin privilege 15 secret Str0ngL0calPass!
! This account activates only when ISE is unreachable
! ═══════════════════════════════════════════════════════════════════════
! Step 1 — Enable AAA globally
! ═══════════════════════════════════════════════════════════════════════
Router(config)# aaa new-model
! ═══════════════════════════════════════════════════════════════════════
! Step 2 — Define ISE TACACS+ servers
! ═══════════════════════════════════════════════════════════════════════
Router(config)# tacacs server ISE-PRIMARY
Router(config-server-tacacs)# address ipv4 10.0.0.10
Router(config-server-tacacs)# key 0 SharedSecret-ISE-Primary-2026
Router(config-server-tacacs)# timeout 5
Router(config-server-tacacs)# single-connection
Router(config)# tacacs server ISE-SECONDARY
Router(config-server-tacacs)# address ipv4 10.0.0.11
Router(config-server-tacacs)# key 0 SharedSecret-ISE-Primary-2026
Router(config-server-tacacs)# timeout 5
Router(config-server-tacacs)# single-connection
! single-connection reuses one TCP session per server (more efficient)
! Use same shared key on ISE network device entry — must match exactly
! ═══════════════════════════════════════════════════════════════════════
! Step 3 — Create server group
! ═══════════════════════════════════════════════════════════════════════
Router(config)# aaa group server tacacs+ TACACS-GROUP
Router(config-sg-tacacs+)# server-name ISE-PRIMARY
Router(config-sg-tacacs+)# server-name ISE-SECONDARY
Router(config-sg-tacacs+)# ip tacacs source-interface Loopback0
! source-interface MUST match the IP configured in ISE network device entry
! Loopback0 is preferred — stable under interface flaps
! ═══════════════════════════════════════════════════════════════════════
! Step 4 — Authentication policy (fallback to local if ISE unreachable)
! ═══════════════════════════════════════════════════════════════════════
Router(config)# aaa authentication login default group TACACS-GROUP local
! "local" at end = use local accounts only if ALL ISE servers timeout
! Never use "none" — that allows login with no password if ISE is down
! ═══════════════════════════════════════════════════════════════════════
! Step 5 — Exec authorization (sets privilege level from ISE shell profile)
! ═══════════════════════════════════════════════════════════════════════
Router(config)# aaa authorization exec default group TACACS-GROUP local if-authenticated
! "if-authenticated" = if ISE is down but local auth succeeded, grant exec
! Without this, local fallback user gets no exec shell (locked out anyway)
! ═══════════════════════════════════════════════════════════════════════
! Step 6 — Command authorization (per-command ISE check)
! ═══════════════════════════════════════════════════════════════════════
Router(config)# aaa authorization commands 1 default group TACACS-GROUP local if-authenticated
Router(config)# aaa authorization commands 5 default group TACACS-GROUP local if-authenticated
Router(config)# aaa authorization commands 15 default group TACACS-GROUP local if-authenticated
! Every command typed triggers a TACACS+ Authorization request to ISE
! ISE evaluates Command Set — returns Permit or Deny before IOS executes
! ═══════════════════════════════════════════════════════════════════════
! Step 7 — Exec accounting (log session open/close)
! ═══════════════════════════════════════════════════════════════════════
Router(config)# aaa accounting exec default start-stop group TACACS-GROUP
! start-stop = record at session open AND close (duration, bytes)
! ═══════════════════════════════════════════════════════════════════════
! Step 8 — Command accounting (log every command with timestamp)
! ═══════════════════════════════════════════════════════════════════════
Router(config)# aaa accounting commands 1 default start-stop group TACACS-GROUP
Router(config)# aaa accounting commands 15 default start-stop group TACACS-GROUP
! This is what produces the full audit trail in ISE Live Logs
! ═══════════════════════════════════════════════════════════════════════
! Step 9 — Apply to VTY lines
! ═══════════════════════════════════════════════════════════════════════
Router(config)# line vty 0 15
Router(config-line)# login authentication default
Router(config-line)# authorization exec default
Router(config-line)# transport input ssh
Router(config-line)# exec-timeout 15 0
! transport input ssh — disable Telnet, SSH only
! exec-timeout 15 0 — auto-logout after 15 minutes idle
NX-OS differences — Nexus platforms use slightly different syntax. NX-OS uses role-based access (network-admin, network-operator) rather than IOS privilege levels 1–15. ISE returns the NX-OS role via a cisco-av-pair attribute:
! ── NX-OS TACACS+ configuration ──────────────────────────────────────────────
N9K(config)# feature tacacs+
N9K(config)# tacacs-server host 10.0.0.10 key "SharedSecret-ISE-Primary-2026" timeout 5
N9K(config)# tacacs-server host 10.0.0.11 key "SharedSecret-ISE-Primary-2026" timeout 5
N9K(config)# aaa group server tacacs+ TACACS-GROUP
N9K(config-tacacs+)# server 10.0.0.10
N9K(config-tacacs+)# server 10.0.0.11
N9K(config-tacacs+)# source-interface mgmt0
N9K(config)# aaa authentication login default group TACACS-GROUP local
N9K(config)# aaa authorization exec default group TACACS-GROUP local
N9K(config)# aaa accounting exec default group TACACS-GROUP
N9K(config)# aaa accounting commands default group TACACS-GROUP
!
! ISE Shell Profile for NX-OS — Custom Attributes tab:
! Attribute: cisco-av-pair
! Value: shell:roles="network-admin vdc-admin"
!
! For read-only NX-OS access:
! Value: shell:roles="network-operator"
Privilege Levels and Command Sets
Cisco IOS supports privilege levels 0–15. Level 1 is the default unprivileged (user EXEC) mode and level 15 is full privileged (enable) mode. Levels 2–14 are configurable. In a TACACS+ deployment, ISE returns the privilege level in the authorization response, and command sets define granular per-command access independent of privilege level.
| Privilege Level | Intended Role | Example Commands Permitted | ISE Command Set |
|---|---|---|---|
| 1 | Helpdesk / Read-only | show version, show interfaces, show ip interface brief, ping, exit | HelpDesk-Commands |
| 5 | NOC Engineer | All Priv1 + show running-config, show ip route, show log, show cdp neighbors, traceroute | NOC-Commands |
| 10 | Network Engineer | All Priv5 + clear counters, interface shutdown/no shutdown, debug ip packet, ip route add/remove | NetEng-Commands |
| 15 | Network Administrator | All commands — configure terminal, reload, write memory, copy run start, no commands | NetAdmin-Commands (Permit All) |
In ISE, Command Sets are configured under Work Centers → Device Administration → Policy Elements → Results → TACACS → Command Sets. Each entry is a line with: Command (exact match or regex prefix), Arguments (regex), and Action (Permit/Deny).
! ── ISE Command Set: HelpDesk-Commands ───────────────────────────────────────
! Grants read-only access — show commands, ping, basic navigation only
!
! Command Arguments Action
! ───────────── ───────── ──────
! show .* Permit
! ping .* Permit
! exit .* Permit
! logout .* Permit
! enable .* Deny ← explicit deny for clarity
! configure .* Deny
! Permit Unmatched Commands = UNCHECKED (deny all not listed above)
! ── ISE Command Set: NOC-Commands ────────────────────────────────────────────
! Command Arguments Action
! ───────────── ───────────────────── ──────
! show .* Permit
! ping .* Permit
! traceroute .* Permit
! clear counters .* Permit
! clear ip bgp .* soft Permit
! clear arp-cache Permit
! configure .* Deny ← config mode blocked
! reload .* Deny
! write .* Deny
! debug .* Deny ← debug can impact CPU
! ── ISE Command Set: NetAdmin-Commands ───────────────────────────────────────
! Permit Unmatched Commands = CHECKED (allow everything)
! No deny entries needed — full administrative access
! Equivalent to privilege 15 with no command filtering
ISE TACACS+ Policy Configuration — Step by Step
The ISE navigation path for device administration is entirely separate from the endpoint NAC configuration. Look for Work Centers → Device Administration in the top navigation bar — this section only appears when the Device Admin license is activated.
Step 1 — Network Device Groups Organize managed devices into a logical hierarchy. The default groups are by device type (Router, Switch, Firewall) and by location. These groups become conditions in policy sets, allowing different authorization rules per device type. A helpdesk engineer may have read-only access to switches but no access to firewalls at all.
Path: Work Centers → Device Administration → Network Resources → Network Device Groups
Step 2 — Add Network Devices
Each managed device needs an entry with its IP address and shared TACACS+ key. This key must match exactly what is configured on the device (key 0 in IOS). Use the device type group to classify it.
Path: Work Centers → Device Administration → Network Resources → Network Devices → Add
Step 3 — Create TACACS+ Shell Profiles Shell profiles define the privilege level and any custom AV-pairs returned after successful authorization.
Path: Work Centers → Device Administration → Policy Elements → Results → TACACS → TACACS Profiles
! Profile: NetAdmin-Profile
! General tab:
! Name: NetAdmin-Profile
! Common Tasks tab:
! Default Privilege: 15
! Maximum Privilege: 15
!
! Profile: NOC-Profile
! Default Privilege: 5
! Maximum Privilege: 5
!
! Profile: HelpDesk-Profile
! Default Privilege: 1
! Maximum Privilege: 5
!
! For NX-OS targets — Custom Attributes tab:
! cisco-av-pair = shell:roles="network-admin" ← for full admin
! cisco-av-pair = shell:roles="network-operator" ← for read-only
Step 4 — Configure Policy Sets
A Policy Set is a named container with: an entry condition (matches this type of device/request), Authentication Rules (which identity source to query), and Authorization Rules (AD group → Shell Profile + Command Set).
| Policy Set Name | Entry Condition | AD Group Matched | Shell Profile | Command Set |
|---|---|---|---|---|
| All-Network-Devices | Device Type = Network Device | CN=Network-Admins,OU=Groups,DC=corp | NetAdmin-Profile | NetAdmin-Commands |
| All-Network-Devices | Device Type = Network Device | CN=NOC-Engineers,OU=Groups,DC=corp | NOC-Profile | NOC-Commands |
| All-Network-Devices | Device Type = Network Device | CN=HelpDesk,OU=Groups,DC=corp | HelpDesk-Profile | HelpDesk-Commands |
| Firewall-Devices | Device Type = Firewall | CN=FW-Admins,OU=Groups,DC=corp | NetAdmin-Profile | NetAdmin-Commands |
| Default | (catch-all) | Any / No match | — (deny) | — (deny all) |
Step 5 — Validate Before Enforcing ISE includes a built-in test tool before commands are run on live devices:
Path: Work Centers → Device Administration → Troubleshoot → Execute Network Device Command
Enter a simulated username, device IP, and command. ISE processes it through the policy engine and returns the decision — Permit or Deny — with the exact rule that matched and the reason.
Accounting and Audit
TACACS+ accounting is what transforms ISE from an access gate into a compliance asset. The accounting records are stored on the ISE MNT node and are also forwardable to external SIEM systems.
What is logged in each accounting record:
| Record Type | Fields Captured |
|---|---|
| Session Start (Exec) | Timestamp, username, NAS IP (device), NAS port, source IP (engineer's workstation), terminal line |
| Session Stop (Exec) | All start fields + elapsed time, logout reason (user exit, timeout, admin disconnect) |
| Command (Priv 1) | Timestamp, username, NAS IP, exact command string, privilege level, permit/deny decision |
| Command (Priv 15) | Same as above — every configure terminal, interface change, routing update, write memory is captured |
Accessing logs: Navigate to Operations → TACACS → Live Logs. Filter by username, NAS IP (device), time range, or command text. Each record is expandable to show all attributes. The search is real-time against the MNT database.
SIEM forwarding: Path: Administration → System → Logging → Remote Logging Targets → Add
Configure the SIEM's syslog receiver IP, port (UDP 514 or TCP 6514 with TLS), and select the log categories to forward. The TACACS Accounting category produces the command records; TACACS Authentication produces login events.
PCI-DSS Requirement 10 compliance mapping:
| PCI-DSS Requirement | Requirement Text (abbreviated) | How TACACS+ Accounting Satisfies It |
|---|---|---|
| 10.2.1 | Log all individual user access to cardholder data system components | aaa accounting exec: every SSH session to in-scope devices is logged with username and timestamp |
| 10.2.2 | Log all actions taken by root/admin with elevated privileges | aaa accounting commands 15: every privilege-15 command is logged with the exact command string |
| 10.3 | Protect audit trails from modification and unauthorized access | ISE MNT is a separate node; forward to immutable SIEM storage. Admins cannot edit accounting records. |
| 10.5 | Retain audit log history for at least 12 months | Configure SIEM retention policy. ISE MNT storage is limited; SIEM is the long-term store. |
| 10.6 | Review logs of in-scope system components daily | SIEM alerting on anomalous commands (e.g., "reload," "no ip route") triggers automated review. |
Troubleshooting
TACACS+ failures fall into four categories: connectivity, key mismatch, policy misconfiguration, and fallback-to-local edge cases. Work through them in that order.
Phase 1 — Verify TCP connectivity to ISE on port 49:
Router# telnet 10.0.0.10 49
! Trying 10.0.0.10, 49 ... Open → ISE is reachable, port is listening
! Connection refused → ISE up, but PSN persona not enabled
! Timeout (no response) → ACL blocking, route missing, ISE down
Router# show tacacs
! Server: 10.0.0.10/49 Opens: 47 Closes: 47 Aborts: 0 Errors: 0
! Failed Connects: 0 — good; if non-zero, TCP not reaching ISE
! Unexp Closes: 3 — ISE closing connection (key mismatch or policy)
! Requests sent: 94 — total auth/authz/acct exchanges
Phase 2 — Test authentication directly from the device:
Router# test aaa group TACACS-GROUP jsmith MyPassword123 new-code
! Attempting authentication test to server-group TACACS-GROUP using tacacs+
! User successfully authenticated → key OK, ISE policy matches, AD lookup OK
! User rejected → wrong password OR ISE policy denying
! No server available → connectivity or timeout issue
!
! After running this test, check ISE Operations → TACACS → Live Logs
! The test generates a real authentication event — failure reason is shown
Phase 3 — Enable debug for packet-level visibility:
Router# debug tacacs
Router# debug tacacs authentication
Router# debug tacacs authorization
Router# debug aaa authentication
Router# debug aaa authorization
Router# debug aaa accounting
!
! Key patterns to look for in debug output:
! TACACS+: Opening TCP/IP connection to 10.0.0.10/49 ← attempting connect
! TACACS+: Closing TCP/IP connection to 10.0.0.10/49 ← done or failed
! AAA/AUTHEN: status = PASS ← auth success
! AAA/AUTHEN: status = FAIL ← wrong creds or key
! AAA/AUTHOR: status = PASS_ADD ← command authorized
! AAA/AUTHOR: status = FAIL ← command set denying
!
Router# undebug all
! Always clear debug after testing — debug on production IOS impacts CPU
Common failure scenarios and resolution:
| Symptom | Root Cause | Resolution |
|---|---|---|
| Login rejected despite correct AD password | Shared key mismatch between device and ISE network device entry | Re-enter key: use `key 0` (plaintext) in IOS to verify exact string, then reconfigure ISE network device entry. Keys are case-sensitive and whitespace-sensitive. |
| Login succeeds but all commands denied | Command authorization failing — no command set matched or command set has no Permit entries | Check ISE Live Logs for the authorization failure reason. Verify the AD group is returning correctly (check shell profile assignment). Test with "Permit Unmatched Commands" enabled temporarily to isolate. |
| Falls through to local account on every login | ISE unreachable — source-interface IP not matching ISE device entry, or management VRF not configured | Verify `show tacacs` shows no failed connects. Check that Loopback0 IP is the IP entered in ISE. If management VRF: `ip vrf forwarding MGMT` on Loopback0 and add `vrf MGMT` to the tacacs group. |
| Intermittent authentication failures under load | single-connection mode causing issues when many sessions open rapidly | Remove `single-connection` from tacacs server config. Per-request connections are less efficient but more reliable under concurrent load. |
| Accounting records not appearing in ISE Live Logs | Accounting not configured, or ISE MNT node is down | Verify `aaa accounting` lines in running config. Check Operations → Troubleshoot → Diagnostic Tools → ISE Node Status in ISE GUI. |
| NX-OS login succeeds but no admin access | ISE not returning cisco-av-pair with NX-OS role | Add Custom Attribute to TACACS Profile: `cisco-av-pair = shell:roles="network-admin"`. Verify with `show user-account` on NX-OS after login. |
Summary
Deploying TACACS+ with Cisco ISE converts network device access from a distributed, unauditable collection of local accounts into a centrally-managed, policy-driven, fully-audited system. The critical design decisions are: correct server group with loopback source-interface for stability, graceful local fallback with a strong break-glass account, granular command sets mapped to AD groups, and accounting enabled for both exec sessions and commands at all privilege levels. The compliance dividend — a complete, searchable audit trail of every command run on every device, by every engineer — pays for the deployment many times over at the first PCI or SOX audit review.