Cisco Tacacs+ server configuration on Windows

In this post we will describe the configuration of TACACS+ server to run on windows environment. We will use Cisco’s original free TACACS+ server for windows with 4.0.4 version of tac_plus.

NOTE: None of the TACACS+ code available  for Windows here comes with any warranty or support.

The following step by step configuration is.

1. First download the Cisco Tacacs+ server for Windows from here

2. Unzip the contents of the file to a directory of your choice

Unzip the folder to C:tacacs.

3. Edit the tac.cfg configuration file or create a new one. To edit/create the configuration file use UNIX file friendly editor. NOTE: Use EditPlus for editing tac.cfg instead of notepad or WordPad.

For Tacacs+ server configuration assistance click here

Edit the tac.cfg file.

First we define the encryption key and it should same as what we configured on the Cisco routers and switches.

# Below Encryption key and key on Routers should be same.

# Encryption key

key = securepassword

b) we define the file name for accounting log. It will work if we configured AAA accounting on switches and routers.

# You will want to log access to a file. Set that file here

# Remember to rotate the log, it will grow over time.

# write accounting to:

accounting file = accounting.log

c) Third, we define how to configure the users and groups. We can create individual users, each user may belong to a group (Note: But only one group) and each group may belong to one other group.

In below sample file two users (Jack & Tom) and two groups (itadmin & itstaff) has been created as fallows

User jack is not a member of any group. Tom is a member of group itadmin and group itadmin turn a member of group itstaff.

user = Jack {

# User Jack is not a member of any group

# and has nothing else configured as yet


user = Tom {

# Tom is a member of group itadmin

member = itadmin


group = itadmin {

# group itadmin is a member of group itstaff

member = itstaff


group = itstaff {

# group itstaff is not a member of any group


d) Here we define how to configure passwords for groups and users. In above example user Jack is not a member of any group, Tom is member of group itadmin and group itadmin is member of group itstaff. Now we are using individual password jack123 for user Jack and file passwords.db for group. The file passwords.db contains passwords all users in the group itstaff and itadmin.

user = Jack {

# User Jack is not a member of any group

# Assign login password

login = des xSHT91D6AQvxQ


group = itstaff {

# group itadmin is a member of group itstaff

# group itstaff is not a member of any group

# group users use password database file for login

login = file passwords.db


Also in this section we define the privilege level and the commands that can be executed by the member of this group.Once you have edited tac.cfg file and create the user and group. Save it


4. Now we will generate the encrypted passwords for individual user and user in groups by using file generate_passwd.exe. We assigned the passwords jack123 for user Jack and password tom123 for user Tom. From the command prompt run generate_passwd.exe, enter normal password and we will get in encrypted format.

Tacacs+ Password Generate

Tacacs+ Password Generate








Now edit the password.db file. For the user tom copy and paste the encrypted password between : & :: like below.

Tom: IeKrLje1Ow2Vo:::::

5. We define how to run the tacacs+ server. Go to the command prompt and run as below.

C:tacacs>tac_plus.exe -C tac.cfg

6. To stop the tacacs + server, go to the Task Manager and click end process.

Filed Under: Tacacs+/Radius


About the Author:

RSSComments (0)

Trackback URL

Leave a Reply

If you want a picture to show with your comment, go get a Gravatar.