| More

Installation & Setup of Free Tacacs+ server in Linux
(Tested via GNS3 & VirtualBox)

Software Used:

-use 3700 IOS as Router & DHCP
-use Ethernet switch to connect hosts
-use VirtualBox guest running on Ubuntu Linux server 12.04.2 LTS



1.Login as root and install dependencies such as tcp wrappers and compilation tools e.g. gcc, bison, flex, make

If you’re not sure if these packages are installed, you can use the command:

dpkg -s [packagename]


root@freelinux:~# dpkg -s gcc bison flex

Package `gcc’ is not installed and no info is available.

Package `bison’ is not installed and no info is available.

Package `flex’ is not installed and no info is available.

To install:

root@freelinux:~# apt-get install gcc make flex \
 bison libwrap0-dev

2. Download the tacacs+ package on ftp://ftp.shrubbery.net/pub/tac_plus/. It’s good to read additional information or changes on http://shrubbery.net/tac_plus/.

Latest version as of this writing is tacacs+-F4.0.4.26

root@freelinux:~# wget \

3. uncompress the tarball file

root@ubuntu:~# tar zxvf tacacs+-F4.0.4.26.tar.gz

4. Build
check the INSTALL file first to see the installation guide

root@ubuntu:~/tacacs+-F4.0.4.26# less INSTALL
root@ubuntu:~/tacacs+-F4.0.4.26# ./configure

If you missed installing those dependecies, you will receive messages something like this:

configure: error: Could not find libwrap. You must first install tcp_wrappers.

So to resolve this, install the necessary packages.

# apt-get install libwrap0-dev

Libraries have been installed in:

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR’
flag during linking and do at least one of the following:
– add LIBDIR to the `LD_LIBRARY_PATH’ environment variable
during execution
– add LIBDIR to the `LD_RUN_PATH’ environment variable
during linking
– use the `-Wl,-rpath -Wl,LIBDIR’ linker flag
– have your system administrator add LIBDIR to `/etc/ld.so.conf’

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.


1. After extracting the files, default directory would be /usr/local/bin/

root@ubuntu:~/tacacs+-F4.0.4.26# ls /usr/local/bin/tac*
/usr/local/bin/tac_plus /usr/local/bin/tac_pwd

2. Read the manual page for the following:

$man tac_plus
$man tac_pwd

So basically,
tac_plus – tacacs plus daemon
tac_pwd – generate DES or MD5 encryption of a password

3. use tac_pwd to encrypt clear text passwords to make it more secure
We want to use “password” to login the username freelinux and “enablepass” to go privilege mode

root@freelinux:/etc/tacacs# /usr/local/bin/tac_pwd
Password to be encrypted: password


root@freelinux:/etc/tacacs# /usr/local/bin/tac_pwd
Password to be encrypted: enablepass

4. Setup config files

a.create tacacs directory under /etc

5. create the tac_plus.conf file

tac_plus.conf setup:
i. set the key

#tacacs key
key = "tackey"

ii. set the user accounts

#user details
#admin freelinuxtutorials@gmail.com
user = freelinux {
default service = permit
member = admingroup
login = des VUjB99kC2IGws

iii. set the group details

#group details
# admin group
group = admingroup {
default service = permit
service = exec {
priv-lvl = 15

iv. set enable password

#Enable password setup for users:
user = $enable$ {
login = des HD.Hw0OHKmO/c
Note: This is how it looks like, get it here
v. set the location of the accounting file
accounting file = /var/log/tacacs/tac_plus.log

6. change permission

#chmod 600 /etc/tacacs/tac_plus.conf

Note: If along the way, if you encoutered such as below, then you need to create necessary links using ldconfig

tac_plus: error while loading shared libraries: libtacacs.so.1:
cannot open shared object file: No such file or directory

# vi /etc/ld.so.conf

add /usr/local/lib under /etc/ld.so.conf


7. Run the tacacs service

root@freelinux:/etc/tacacs# /etc/init.d/tac_plus start
Starting Tacacs+ server: tac_plus.

this tac_plus file, contents can be downloaded here

8. check if process running

root@freelinux:/etc/tacacs# netstat -na | grep 49
tcp 0 0* LISTEN

Sample Cisco configuration

Configuring Cisco:

Cisco#conf t
Cisco#service password-encryption
Cisco#tacacs-server host
Cisco#tacacs-server directed-request
Cisco#tacacs-server key tackey

Cisco#aaa new-model
Cisco#aaa authentication login default group tacacs+ local
Cisco#aaa authentication enable default group tacacs+ enable
Cisco#aaa authorization commands 1 default group tacacs+ local
Cisco#aaa authorization commands 15 default group tacacs+ local
Cisco#aaa accounting commands 0 default start-stop group tacacs+
Cisco#aaa accounting commands 1 default start-stop group tacacs+
Cisco#aaa accounting commands 7 default start-stop group tacacs+
Cisco#aaa accounting commands 15 default start-stop group tacacs+
Cisco#aaa accounting network 15 start-stop group tacacs+
Cisco#aaa accounting connection 15 start-stop group tacacs+

I will not go deeper into client configuration as it differs on devices and softwares by different vendors. Anyway, what has shown here is just the basic tacacs config that is proven working. Go try explore further the advance tacacs configuration. Enjoy!

14 Responses to “Installation and Setup of Free Tacacs+ server in Linux”

  1. Jasper

    on June 10 2014

    This tutorial imho would be very useful, if only the link to http://ftp.shrubbery.net would work. When I google tac_plus, every site references the shrubbery.net ftp site; however, it does not work. At best I get a time out.

  2. Free Linux Tutorials

    on July 7 2014

    You can try downloading the tac_plus tarball file using FTP client if does not work using your browser.
    Latest version as of this moment is tacacs+-F5.0.0a1.tar.gz


  3. hassan

    on August 4 2014

    ftp link not working

  4. Installation Setup of Free Tacacs+ server in Linux | Free Linux Tutorials | Mazurland

    on October 10 2014

    […] via Installation Setup of Free Tacacs+ server in Linux | Free Linux Tutorials. […]

  5. Jockerpec

    on February 24 2016

    There might be realized an authentication delegated on another server tacacs if a user was not finding in the list.

  6. Alexey

    on May 24 2016

    Hi, There,
    I found interesting project – tacacsGUI. It is self-hosted front-end UI for tac_plus configuration. My installation was easy, try it. Plus it has some advantages like Backup Maker for auto backup, Subnet searcher for subnets collection etc. Good luck!

  7. 91Latoya

    on November 29 2016

    Hello admin !! I read your blog everyday and i must say you have very interesting content here.
    Your website deserves to go viral. You need initial traffic only.

    How to go viral fast? Search for: forbesden’s tools

  8. accounting ladies tee

    on April 4 2017

    Mingle this shirt (Abercrombie & Fitch Flip Flops )and puff ensemble with a bleak course, someone,
    shoes, and a palm and. The Jordan Brazil Pack will drop June 21 for a suggested retail price of $500.
    So, it was on to the thrift shops where I did find a decent pair of new shorts just
    in my size only when I got home it turned out they were my size in youth, not adult,
    even though they were in the adult section.

  9. Antonello

    on April 21 2017


    I’m having problems in setting up a banner, i tried may configurations :

    host = *.*.*.* {
    # welcome banner = “\nTACACS+ Login\n”
    # prompt = “TACACS+ Login: ”
    with no success

    Any hints?

    Thanks a lot


  10. Free Linux Tutorials

    on April 30 2017

    can elaborate what are u trying to achieve? can share your aaa configuration on the client device?

  11. Antonello

    on May 2 2017


    Our problem is to configure a banner that can be displayed when connecting to cisco routers or switches.

    When i tried to set the banner with the following options in tacacs configuration file :

    “host = *.*.*.* {
    welcome banner = “\nTACACS+ Login\n”



    host = *.*.*.* {

    # prompt = “TACACS+ Login: ”

    tacacs daemon refuses to start .

    I was looking for a valid configuration , that’s it


  12. Bis Ass

    on August 28 2018

    What a data of un-ambiguity and preserveness of precious knowledge on the topic of unexpected emotions.

  13. sabarish

    on May 6 2019

    thanks for the info..
    am using tac_plus F4.0.4.26, is this version ipv6 supported??
    after enabling the version it is listening only for ipv4 address with port no 49..

    please suggest

  14. dhana

    on August 21 2019


    I installed tacacs+ on Linux server. and I am getting rejected logs when test user logged into Palo alto firewall. can you please what should I do to get proper logs? thanks in advance

Comment RSS · TrackBack URI

Leave a comment

Name: (Required)

E-mail: (Required)




About FLT

This site is dedicated to everyone who likes to learn and explore the beautiful world of Linux. If you have comments and suggestions, please feel free to email at freelinuxtutorials@gmail.com. I am happy to serve and share things esp. that is free and enjoyable as Linux.