Command tacacs-server directed-request

I find people getting confused on understanding command “tacacs-server directed-request” on Cisco IOS routers. Even in Cisco security certification courses and live training such commands are ignored. Let's first start with the brief introduction to TACACS.

What is TACACS?

TACACS full form is Terminal Access Controller Access-Control System which is a network authentication protocol that is used to provide centralized authentication, authorization, and accounting (AAA) services for network devices.

A TACACS server runs TACACS+ protocol which works on AAA model i.e. It is used to Authenticate, Authorize, Accounting for all the users who are trying to access network devices such as routers, switches, and firewalls. The Cisco Identity Services Engine (ISE) can act as TACACS server along with open source Linux platforms. Please refer other blog for the details of ISE course TACACS topics.

In case you are more interested in learning Cisco ISE with an expert instructor in a live sessions and how tacacs configured on it with many more scenarios. Feel free to contact our learning advisors for more information.

It has a database in which user's information is stored, when any user tries to access a network device, it verifies the user's credentials (username and password) and grant or deny access to them based on the user's authorization level.

TACACS+ is an enhanced version of TACACS supported by Cisco ISE, that provides more security features like encryption and improved authentication. TACACS+ is widely used in enterprise networks to provide centralized AAA services, enabling administrators to manage and monitor access to network devices from a single location.

Configure TACACS Servers on Cisco Router

Now let's have a look and understand how the command “tacacs-server directed-request” behaves. Suppose we have two tacacs servers configured on a Cisco router (there may be more in the configuration order list).

The router will use the IP address which is first appearing in the configuration. In this case it will use 10.0.0.1 and then router will create a session with tacacs server and user will be authenticated.

If first tacacs IP is not reachable then router will use the next tacacs IP in the configuration order list for authentication.

The use case of the command “tacacs-server directed-request” is that it allows a user to specify a particular tacacs IP address for authentication instead of using the first tacacs IP address appeared in the configuration order list.

It also applies for Authorization and Accounting as well along with Authentication.

Configure "tacacs-server directed-request" Command

Now suppose we also have “tacacs-server directed-request” command with two tacacs servers configured, one is used as company’s  tacacs Server and other is managed by its service provider.

Login Using Service Provider TACACS

In this case company users will be able to login as usual, but the service provider needs to contact the device as:

[Service_Provider_Machine]$ telnet router_ip

Username: xyz@172.16.0.1    //xyz is username for authentication with tacacs ip 172.16.0.1

Password:

Router>

I hope this would help you in understanding the command “tacacs-server directed-request” on Cisco Routers along with basics of what is tacacs.

Deepak Sharma, CCIE#37340