Configuring TACACS+ Authentication on Cisco Viptela vEdge/cEdge devices

Today I am going to talk about the TACACS+ Authentication configured on the Cisco viptela vEdge/cEdge devices. Earlier in our article we talked about RADIUS Authentication on vEdges/cEdges. 

Configure TACACS+ Authentication
As we know when we are going to configure the TACACS+ server, we need to configure the parameters like its IP address and and a password, or key. We can specify the key as a clear-text string up to 32 characters long or as an AES 128-bit encrypted key. 

Fig 1.1- TACACS Authentication on vManage

The local device passes the key to the TACACS+ server. The password must match the one used on the server. To configure more than one TACACS+ server, include the server and secret-key commands for each server.

By default, the Viptela device uses port 49 to connect to the TACACS+ server. To change this, use the auth-port command. If the TACACS+ server is reachable via a specific interface, configure that interface with the source-interface command.

If the TACACS+ server is located in a different VPN from the Viptela device, configure the server's VPN number so that the Viptela device can locate it. If you configure multiple TACACS+ servers, they must all be in the same VPN.

vEdge_NDNA(config)# system tacacs
vEdge_NDNA(config)# server ip-address
vEdge_NDNA(config-server)# secret-key password
vEdge_NDNA(config-server)# priority number
vEdge_NDNA(config-server)# auth-port port-number
vEdge_NDNA(config-server)# source-interface interface-name
vEdge_NDNA(config-server)# vpn vpn-id

By default, PAP is used as the authentication type for the password for all TACACS+ servers. You can change the authentication type to ASCII:

vEdge_NDNA(config-tacacs)# authentication ascii

When waiting for a reply from the TACACS+ server, a Viptela device waits 5 seconds before retransmitting its request. To change this time interval, use the timeout command, setting a value from 1 to 1000 seconds:

vEdge_NDNA(config-tacacs)# timeout seconds