--- title: "Method: TACACS+" slug: "method-tacacs" updated: 2026-05-14T12:10:11Z published: 2026-05-14T12:10:11Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.zpesystems.com/llms.txt > Use this file to discover all available pages before exploring further. # Method: TACACS+ ## **Overview** TACACS+ (Terminal Access Controller Access-Control System) is a protocol that handles authentication, authorization, and accounting (AAA) services. The following diagram shows a Nodegrid Serial Console Plus (NSCP) and the Ubuntu server executing a TACACS+ server. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/tacacs.png) | (1) and (4) | Endpoint accessing the Nodegrid device using HTTPS. | | --- | --- | | (2) and (3) | Nodegrid sends the login request to the TACACS+ server for authentication. The TACACS+ server evaluates the request and determines whether to grant access to the Nodegrid and assigns the appropriate privilege level. | An example of Ubuntu server executing TACACAS+ configuration is as shown: ```plaintext key = test accounting file = /var/log/tac.acct group = nadmin {    service = raccess {        prlv-lvl = 15    } } group = admin {    service = raccess {        prlv-lvl = 15    } } group = read {    service = raccess {        prlv-lvl = 1    } } user = nadmin {       service = raccess {               group_name = "admin"       } } user = user 1 {     login = cleartext hello      member = tadmin } user = user 2 {     login = cleartext user 2      member = read } user = guest{     default service = permit     login = des guE/.mlvd58eU } ``` The three user groups defined are: - nadmin will be assigned to the Nodegrid user group admin - tadmin, with privilege 15 and user: user 1 - read, with privilege 1 and user: user 2 > [!NOTE] > NOTE: > > - Check the syntax of the tacacs configuration, by using the command sudo service tacacs_plus check. > - Check the status of the tacacs+ server, by using the command systemctl status tacacs_plus (the status given should be in green color, in state "active"). ## Nodegrid Configuration ### **Web UI:** 1. Log in to the Nodegrid Web UI. 2. Navigate to *Security:: Authentication:: Servers* and select the Method as **TACACS+**. 3. Enter **Accounting Server**. > [!NOTE] > NOTE: > > The accounting server is optional, and in case no accounting server is available the setting can be left blank. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/tacacs(1).png) > [!NOTE] > Note > > The fields Remote Server and Accounting Server correspond to the IP address of the Ubuntu Server. The Service, "raccess" has to match the Tacacs+ server. 4. Select **Authorize users authenticated with ssh public key** checkbox. 5. Enter **TACACS+ Port** (default: 49). 6. On **Service** drop-down, select one (PPP, Shell, raccess) (default: raccess). 7. Enter and confirm the secret shared with the Tacacs+ server**.** 8. Enter **Timeout** (default: 2). 9. Enter **Retries** (default: 2). 10. On **TACACS+ Version** drop-down, select the appropriate TACACS+ Version. 11. Enter **Enforce Source IP** for AAA authentication (available in v5.8+). 12. Select **Enable User-Level attribute of Shell and raccess services association to local authorization group** checkbox (expands dialog with 15 User Levels). Per instruction, “Enter local authorization group name for each User Level.” ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/tacacs-user-level.png) > [!NOTE] > Note > > In this example, > > - the tacacs+ admin group "tadmin" (of privilege 15), to the local Nodegrid admin group "admin". > > - the tacacs+ admin group "read" (of privilege 1), to the local Nodegrid user group "Operator" The user added in the TACACS+ as user1 will be able to login as shown in the following figure. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/user1.jpg) ### CLI Configuration 1. Log in as admin in the CLI and type the following commands: ```plaintext [admin@nodegrid /]# add settings/authentication/servers/ [admin@nodegrid {servers}]# set fallback_if_denied_access=yes [admin@nodegrid {servers}]# set method=tacacs+ [admin@nodegrid {servers}]# set remote_server=10.10.10.13 [admin@nodegrid {servers}]# set tacacs_plus_accounting_server=10.10.10.13 [admin@nodegrid {servers}]# set tacacs_plus_secret=secretkey [admin@nodegrid {servers}]# set tacacs_plus_service=raccess [admin@nodegrid {servers}]# set tacacs_plus_retries=2 [admin@nodegrid {servers}]# set tacacs_plus_timeout=2 [admin@nodegrid {servers}]# set tacacs_plus_version = v1 [admin@nodegrid {servers}]# set tacacs_plus_enable_user-level = yes [admin@nodegrid {servers}]# set tacacs_plus_user_level_1 = Operator [admin@nodegrid {servers}]# set tacacs_plus_user_level_15 = admin ``` 2. Type show command to confirm your configuration. ```plaintext [admin@nodegrid {servers}]# show ``` 3. Save the configuration. ```plaintext [admin@nodegrid {servers}]# commit ``` 4. Type the set command and tap tab key twice to view all the available option for configuration. ```plaintext [admin@nodegrid {servers}]# set ``` The TACACS+ server added to Nodegrid. > [!NOTE] > NOTE > > Default authentication service is raccess ( can be changed as needed ) > > Default value for retries and timeout is 2 ( can be changed as needed ) > > Default port is 49 ## Group level to be used in Nodegrid OS In the Web UI and TACACS+, specify the group level to be used in the Nodegrid OS. You can configure your TACACS+ server to map two separate groups, each with the same privilege level, to two different groups on the Nodegrid OS. 1. Go to *Security :: Authentication :: Servers :: 1.* 2. Uncheck **Enable User-Level attribute of Shell and raccess services association to local authorization group**. ![](https://cdn.document360.io/763c5fb1-b9af-4ccd-9ad6-cf28ae4cd5a3/Images/Documentation/uncheck-user-level.png) 3. On the TACACS+, server, add the attribute group_name in the groups: 4. Go to *Security :: Authorization :: Network_Admin :: Remote Groups*, in the Nodegrid groups add these groups under Remote Group.