How to install TACACS+ on Linux CentOS

This topic is to discuss the following lesson:

No package tac_plus available. (Centos 6.4)
Funny, since I can see via web that it’s there.

Hmm are you sure it’s using the Nux repository? you can always just grab the RPM and install it manually…

Same here. “No package tac_plus available”. I can also see it in the list. Cannot install it manually, as there are too many dependencies (which is why we use yum. haha)

I, too, am using Centos 6.4. If I do just a yum list, it does not show it.

[root@logger ~]# yum list --enablerepo=nux-misc | grep nux-miscanything-sync-daemon.noarch 3.11-3.el6.nux nux-misc
chronicle.noarch 4.6-1.el6.nux nux-misc
clamassassin.noarch 1.2.4-1.el6.nux nux-misc
cobbler.noarch 2.2.1-2.el6.nux nux-misc
cobbler-web.noarch 2.2.1-2.el6.nux nux-misc
dkimproxy.noarch 1.4.1-1.el6.nux nux-misc
fuse-s3fs.noarch 0.9-2.el6.nux nux-misc
koan.noarch 2.2.1-2.el6.nux nux-misc
megactl.i686 0.4.1-1.el6.nux nux-misc
megactl-debuginfo.i686 0.4.1-1.el6.nux nux-misc
openresolv.noarch 3.4.1-2.el6.nux nux-misc
perl-Apache-RPC.noarch 0.69-2.el6.nux nux-misc
perl-RPC-XML.noarch 0.69-2.el6.nux nux-misc
perl-XML-RSSLite.noarch 0.15-1.el6.rf nux-misc
pssh.noarch 2.3.1-4.el6.nux nux-misc
z-push.noarch 1.5.6-1.el6.nux nux-misc
zarafa-z-push.noarch 1.5.6-1.el6.nux nux-misc

Are you sure the nux repository is enabled? You can see at the following URL that it has the tacacs package:

Hey ,
Great post. I got this working.

Although i few problems and questions

First, whenever i put default service = permit and privilege command in the config i cannot get the damon to start it fails.
Second, if i use just login with PAM i get to the user level > but i need exec level access to provide. How can i go about doing that.



Don’t forget to configure your firewall to allow TCP port 49 for tac_plus.

Dear Sir,

The firewall you are saying here is the Linux firewall or the Network firewall.
I will use it on the LAN network

I am having same issue. I am authenticating with file. but cant go to conf t. mode. Any help ???
Authentication working but not the autherizaton

It could be both, most linux servers use iptables as the firewall so that’s something to consider at least.

Nice post…

But, I’m having some troubles, when I try to authenticate with a user (i.e. ntorres), got this message:

Enter your Unix username and password, Username: ntorres

% Authentication failed

Enter your Unix username and password, Username:

Is there any log where I can see??

You can check the /var/log folder on the Linux server for debug messages there, you might have to check the config file to see which log file it uses. On the router you can use the debug aaa commands to see what is going on.

Great post and very helpful. Thanks, I have successfully implemented Tacacs+ server. The routers are working well but I am having problem with firewall command authorization. It seems no matter it wants to give me the privilege level more than 1 :slight_smile:

Hi Rene,
Is GUI available post configuration?
To debug or add users can be helpful.

I used CentOS 6.5, TACACS + is running, but in /var/log/tac_plus.acct log file is still empty
had setting /etc/tac_plus.conf
accounting file = /var/log/tac_plus.acct

I’m not sure, I have only used the CLI version myself.


Any Idea how to enforce password changing at first logon using tacacs+ PAM authentication ?

I am able to login using the Tacacs+ Pam authentication successfully.

Is there a way to make it work for ipv6 ? I’ve tried all possibilities with no luck !!! hope you have experimented it before !

I took a quick look and it seems it’s possible but I never tried it myself before…

i have configure the Tacacs sucessfully and is working but there are a few things i need to know:

First, my cisco device is using the local user on the cisco device for authentication and i dont know why,

second how can I check the authentication logs and the configuration logs?

Hi Russet,

The default log files on Centos are probably in the /var/log folder.

Is your router able to reach the Tacacs server? Try a debug AAA authentication on the router. It should give you some useful information why it doesn’t use the server for authentication.