clients.tacacs-plus

tacacs-plus

A tacacs-plus clients list declares which network infrastructure devices (routers, switches, firewalls, WLAN controllers, etc.) are permitted to send TACACS+ authentication, authorization, and accounting requests to this server.

If a device’s source address does not match any configured client inside a tacacs-plus list referenced by a running TACACS+ server, its requests are silently ignored (good for security; avoids oracle responses).

Syntax

clients {
    tacacs-plus "NETWORK_DEVICES" {
        client "core-switch-1" {
            source {
                ip 10.10.1.10;          # single host
            }
            secret "SuperSecretKey!";
            timeout 60;
            pre-policy {
                # Optional: logging, attribute normalization
            }
            post-policy {
                # Optional: audit logging
            }
        }

        client "access-switches" {
            source {
                ip 10.20.0.0/16;        # CIDR range
            }
            secret "AnotherSecret";
        }
    }
}

Elements

Item	Required	Description
`tacacs-plus "LIST_NAME" { ... }`	Yes (≥1 if using TACACS+)	Declares a list containing one or more `client` blocks
`client "NAME" { ... }`	Yes (≥1 per list)	Defines a single TACACS+ client device (or device group alias)
`source { ip ...; }`	Yes	One or more `ip` entries: single IP or CIDR (v4 or v6)
`secret "STRING";`	Yes	Shared secret used to encrypt and authenticate TACACS+ packets
`timeout <seconds>;`	No	Per‑client request processing timeout override
`pre-policy { ... }`	No	Pipeline executed before normal AAA handling
`post-policy { ... }`	No	Pipeline executed after AAA handling completes
`statistics { ... }`	No (if supported)	Per‑client statistics configuration (same semantics as global)

(Per‑client statistics and other advanced directives should only be added if supported in the current parser version; omit if not recognized.)

Source Block

Multiple ip statements are allowed:

source {
    ip 10.10.1.10;
    ip 10.10.2.0/24;
    ip 2001:db8:1234::/48;
}

Order does not matter; first match wins only in terms of evaluation short‑circuit, not semantics.

Secrets

Must be identical on both the device and server.
Use long, random strings (≥16 chars, mix of upper/lower/digits/symbols).
Rotate periodically and immediately on personnel changes or compromise suspicions.
Avoid reusing the same secret across disjoint trust zones.

Timeouts

If omitted, the global or server default applies. Too small a timeout leads to spurious device authentication failures under transient load; too large delays operational feedback. Typical values: 30–60 seconds.

pre-policy / post-policy

These optional pipelines let you insert early or late logic specific to that client:

Use Case	Stage	Example
Device classification tags	pre-policy	Set internal attributes before main handler selection
Rate limiting / early reject	pre-policy	Reject abusive sources fast
Command audit enrichment	post-policy	Log final authorization decision with device name
Metrics tagging	post-policy	Add structured log fields

Ensure side effects are minimal and fast; long blocking operations in pre-policy will inflate perceived AAA latency on the device.

Example With Two Device Groups

clients {
    tacacs-plus "NETWORK_DEVICES" {
        client "core" {
            source { ip 10.1.0.10; ip 10.1.0.11; }
            secret "CoreSecret2024!";
            pre-policy {
                # e.g. tag user requests
                # debug "Core device TACACS+ request";
            }
        }
        client "edge" {
            source { ip 10.2.0.0/16; }
            secret "EdgeDeviceSecret!";
            timeout 45;
        }
    }
}

Parents