Finally, Cisco’s original TACACS+ server compiled to run under Windows! This is the original 4.0.4 version of tac_plus.
Please NOTE: None of the TACACS code available here comes with any warranty or support.
Description:
tac_plus.F4.0.4.alpha.tar.Z
Developer’s kit source code for Cisco’s Unix Tacacs+ daemon. This is alpha test software and is unsupported. For a supported product, see Cisco’s CiscoSecure product line.
This package was created using the original file described above which contains Cisco source code.
Installation:
Unzip the contents of the file to a directory of your choice.
Configuration:
Edit the included tac.cfg config file or create a new one from scratch. *Note* Be sure to edit/create the configuration file in a UNIX file friendly editor. If the file is edited and saved in something like notepad, a CRLF character get’s put at the end of each line – which the server can’t read.
For configuration file assistance, see the following URL:
http://www.stben.net/tacacs/users_guide.html
Running the Tacacs+ Server:
tac_plus.exe -C tac.cfg
Stopping the Tacacs+ Server:
Bring up the task manager (Control-Alt-Delete), go to the Processes tab,
right click on tac_plus.exe and select End Process.
Download:


(15 votes, average: 4.00 out of 5)
Print This Post







May 6th, 2008 at 9:41 pm
Hi, thanks for this software, it is really very good tool.
I have two questions:
1) Could you have the guide to install tac_plus as service in Windows? Is is easier to start/stop when needed.
2)If I change something in the cfg file, do I need to stop and start again the tac_plus? Or is there any way to change without restart tac_plus?
Many thanks,
Cassio
July 18th, 2008 at 6:35 am
I used the procedure for setting a program as a service in windows. Works for me, TACACS+ working as a service set to auto start server 2003.
http://kb.globalscape.com/article.aspx?id=10264&cNode=7M6R0D substitute tac_plus for cute ftp in doc.
August 12th, 2008 at 3:41 am
Hi,
I had tried this original TACACS working fine under W2K3 SP2, this original TACACS version do not have the “acl” function. The TACACS+ with “acl” function is available on TACACS for Linux version F4.0.4.15.
TACACS+ F4.0.4.15 for Linux can be downloaded on ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.15.tar.gz
Any one would help to compile so it can be running under windows?
Regards
Tomas T
August 14th, 2008 at 9:29 pm
Hi Tomas,
I have spent a few hours trying to compile the newer version with no luck yet. My current problem is with the Unix crypt, which is used to store passwords as hashes in the database. I haven’t given up, stay tuned.
Scott
September 3rd, 2008 at 6:14 am
Hello,
I’ve set up Tac_Plus on a Windows 2003 server, which is receiving and sending (checked with wireshark) accounting packets (without encryption for testing), but the daemon doesn’t write anything in the configured accounting file.
Is this feature supported under Windows 2003?
Regards.
September 5th, 2008 at 9:58 am
Hello,
I’ve just downloaded tacacs and I’m having some trouble install it. We I run tac_plus.exe -C tac.cfg I get the following error…
Warning, not running as uid 0
Tac_plus is usually run a root.
Help!?
Thanks
September 11th, 2008 at 2:18 pm
Hi,
Im getting the same error.
Help Please !!!!
September 23rd, 2008 at 6:09 am
not working ,
C:\tacacs>tac_plus.exe -C tac.cfg
Warning, not running as uid 0
Tac_plus is usually run as root
September 23rd, 2008 at 8:56 am
Everyone who is getting this message:
C:\tacacs>tac_plus.exe -C tac.cfg
Warning, not running as uid 0
Tac_plus is usually run as root
This is a normal condition – the server is running at this point. To verify, bring up task manager and search for tac_plus.exe in the processes list.
For more information, please refer to the readme file contained inside the zip file.
October 9th, 2008 at 1:36 pm
Hi.
I’m having troubles getting up the server.
I configured a network test but I can’t establish a connection between the server and the cisco. Im using WinXP.
I used wireshat to view the in/out packets in my pc but I only catch the input packets recived from the router and no answer form the application.
Anyone have some ideas???
October 9th, 2008 at 2:47 pm
I think I have the server side running, but when I try to use a tac client (tacc) to authenticate, I’m getting ‘Login incorrect’. Does anyone know a good way to try and track down why? I can post configs if that helps.
October 9th, 2008 at 4:50 pm
I think I’ve got it. The tacc program was asking for ‘pap’, but I only had ‘login’ defined. I defined ‘global’ instead and it all works.
October 16th, 2008 at 3:01 am
I am using this compilation for my home lab and whenever I try to configure the $enab15$ user, the tacacs+ exe fails to start. Even if I remove the line of code I cannot get it to run and have to unzip the files again and away it goes?
Any ideas?
October 22nd, 2008 at 9:00 am
Hello all,
First, thanks to Scott for making this software available!
Just have a quick question if somebody can help me out. I’m running Cisco gear here. When a user telnets in to one of my devices, I’d like to be able to specify privilege level 15 on a per user basis without that particular user having to actually type the “enable” command and enter the password. Basically, they log in and they’re at the # prompt. I can easily add “privilege level 15″ to all of the telnet lines on the router itself, but I’d rather not do that as it gives all users who telnet in level 15 access. Is there a way to do that with tac_plus?
Thanks!
Chad
October 23rd, 2008 at 7:36 am
I think I figured it out. First, I needed this line in my router config:
aaa authorization exec default group tacacs+ local
Then, for each user (or you could specify a group I guess to differentiate between admins and others) in the tac.cfg file, in addition to basic user setup with a password, I added this:
service = exec {
priv-lvl = 15
}
Now, when I log in, I get put directly into enable mode with level 15 access.
October 24th, 2008 at 9:32 am
Could some one share a sample of tac.cfg file
i want to integrate with cisco
my bigest question is password implemintation: do you have it in clear text? how do i encrypt? in asa/pix its password5 encr, in ios its password7.
any help and example
Thank You
November 3rd, 2008 at 10:13 am
TACACS+ is working great to far. We have two types of users. Think of them as admins and helpdesk users. The admins of course will have full command access. The helpdesk users we would like to limit them to certain show commands. Which I have working fine. But we would also like to allow the helpdesk users to go into conf t mode and only change the vlan on switch ports. Haven’t been able to figure that out. Any thoughts?
November 5th, 2008 at 9:29 pm
This is how you would allow a user to only change the assigned vlan on a switch port:
November 13th, 2008 at 12:40 am
In below config, I can use the ” swicthport mode trunk ” in the interface. How to deny this command ?
Thanks
Joe
user = helpdesk {
login = cleartext passwd
cmd = configure {
permit “terminal”
}
cmd = interface { permit .* }
cmd = switchport {
permit “access vlan”
}
}
November 17th, 2008 at 2:49 pm
The above did not work for me. It limits the user to conf t, but after that I can do anything I want. I can’t even get the user to be denied going into interface mode.
cmd = configure {
permit terminal
}
cmd = interface {
deny .*
}
cmd = switchport {
permit access
}
November 24th, 2008 at 11:19 am
I’m having the same issue… I can limit a user to “conf t” but once in configure mode, they can set anything. How do you limit once within configure mode?
November 26th, 2008 at 7:20 am
I figured out the problem. The TACACS+ config is correct, it’s the IOS config that is missing something. Check to make sure you have “aaa authorization config-commands”.
Thanks to John for helping me figure that out!
November 29th, 2008 at 11:48 pm
First, Thank you for this wonderful tool, I am pursuing my CCNP and this is helping me learn AAA.
Second, Not sure if anyone else ran into an issue trying to get it to run as a service in Win2k3. I followed the directions from the link provided by Richard, and I managed to get srvany to start without an issue, but tac_plus.exe refused to start. After reading through the documentation on srvany.exe I managed to get it to work by specifying the appparameters and the appdirectory. So, my registy looks like this after I exported it:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cisco TACACS+ Server\Parameters]
“Application”=”C:\\tacacs\\tac_plus.exe”
“AppParameters”=”-C tac.cfg”
“AppDirectory”=”C:\\tacacs\\”
Now it starts up flawlessly, just thought I’d share in the hopes of saving someone else a few hours of frustration.
Thank you again for this tool!
December 16th, 2008 at 2:44 pm
When I start this as a service it fails to fullfil authentication requests. It works just fine when I run it straight from command line. Anyone have any issues running this as a service?
January 23rd, 2009 at 2:35 pm
Does any DOD agency or Military base use this product and if yes I just need the name of the base or agency etc…
Thanks,
D
January 23rd, 2009 at 3:24 pm
Quite frankly, I’m surprised anyone would use this particular program in a production environment. As far as I’m concerned, it was being offered for people to play with TACACS+ and learn how to configure devices for authenticating via TACACS+. It’s funny you ask about this specific scenario, as someone who works with DoD networks myself – I’m confident you should rule this program out as an option
January 23rd, 2009 at 3:34 pm
Scott thanks for the quick reply…
We are very small group with a small network… Just seems more prudent than paying for Cisco ACS.
January 23rd, 2009 at 5:34 pm
I certainly see where you are coming from. The main reason I would steer away from this version is because it is compiled against the original source, which has known security issues. Newer, patched versions of the source has been released by others, however they include a crypt function that I have not been able to compile successfully under Windows. If you are comfortable with Unix/Linux, I wouldn’t hesitate to put the most current version of the TACACS+ server in production – since it will run on Unix variants without any issues.
January 26th, 2009 at 6:28 pm
I am trying to run on Win2k3; however, I get:
Warning, not running as uid 0
Tac_plus is usually run as root
for user on line 5 keyword
Checked the processes, and tac_plus.exe is not running
Any thoughs?
January 27th, 2009 at 8:52 am
It looks like it could be configuration file issue. Try starting it with the original config file to make sure the tac_plus.exe process will run and then try making incremental changes to the .cfg file.
January 27th, 2009 at 3:44 pm
It does not work with the original .cfg file either. However, if I remove the ‘user’ configuration information it loads fine…
February 2nd, 2009 at 10:52 pm
Teaser: I have finally gotten a much newer version of the TACACS+ source code compiled. As soon as I can get some basic testing done – I will release in a separate post.
March 12th, 2009 at 7:21 am
Reply to Scott Pilkinton; it has been a month, where is your upload already…
March 31st, 2009 at 2:58 pm
Is the newly compiled version available yet?
April 6th, 2009 at 1:40 pm
Hi.
I am running tac_plus.exe in Windows XP machine, after modifying the tac.cfg file with notepad and this is the output
C:\tacacs>tac_plus -C tac.cfg
Warning, not running as uid 0
Tac_plus is usually run as root
for user on line 5 keyword
I believe is a syntax matter but I can find it.
Help please.
April 9th, 2009 at 10:09 am
Is it working with Juniper?
April 11th, 2009 at 9:54 pm
[...] Ratings Yet) Loading … Print This Post Cisco TACACS server for Windows [...]
May 13th, 2009 at 1:50 am
Scott I think there a massive gap in the market between this original version and the full commercial TACACS server versions.
I would be more that happy to pay for a such a simple easy to use and effected tools, It just need a little bit of tarting up, and maybe a GUI, and I will be your first customer
thanks for sharing this and any news of an updated version.
Richard
thanks for sharing this and any news of an updated version.
May 19th, 2009 at 6:50 pm
For those having the line 5 issue, the format of the config file must be a UNIX formatting, so no CRLFs (Carriage Return, Line Feeds) must be in the file. I use a third party application to edit the file. It runs fine afterward.
May 27th, 2009 at 11:09 am
Dear Author,
You are simply great.
Thanks,
GK
May 27th, 2009 at 11:13 am
Dear Author,
I am using your tacacs tool with one of my switch which is not cisco.
I have given permission for the user to execute all show commands.
But after authentication I am unable to run any show commands.
user = lily {
login = cleartext lily
cmd = show {
permit .*
}
}
Kindly advise.
September 3rd, 2009 at 11:53 pm
Hi,i’m telcomunication student in Asia. i’m interest with your software.i have some problems to use it.
I am running tac_plus.exe in Windows XP machine, after modifying the tac.cfg file with notepad and this is the output
C:\tacacs>tac_plus -C tac.cfg
Warning, not running as uid 0
Tac_plus is usually run as root
best regrad.
October 1st, 2009 at 10:10 am
When using accounting, there needs to be an entry in the tac.cfg file with:
accounting file =
is this simply a file name, or a full path? Does the file need to exist prior? Thanks!
January 1st, 2010 at 8:18 pm
Hello,
Does anyone know of any good TACACS+ server configuration guides / cookbooks etc? I haven’t been able to find much configuration support anywhere online. There must be an extensive command / option list somewhere. One of the very few references I’ve been able to find is http://www.stben.net/tacacs/users_guide.html, which I believe was referenced on this webpage.
Thanks,
Joe
March 24th, 2010 at 9:44 am
How Can I configure in the tac.cfg file that user X can perform all commands ( not specific command).
May 22nd, 2010 at 3:53 pm
I want each user to be in privilege 15 and at the # prompt. What does the file need to look like?
June 2nd, 2010 at 6:32 am
great software!
I use notepad++ to edit the tac.cfg file.
http://notepad-plus.sourceforge.net/uk/download.php
encountered issue if not using default aaa authentication list. Unable to let user to vty login with priv 15 (without key in enable password) if use customized name. Below is my Cisco router config and the tac.cfg config.
=============
== tac.cfg ==
=============
# CONFIGURE ENCYPTION KEY
key = mykey!
# Configure User
user = kiansim {
login = cleartext “testing1234″
service = exec {
priv-lvl = 15
}
}
# End file
================================================
== ROUTER CONFIG UNABLE TO LOGIN WITH PRIV 15 ==
================================================
aaa authentication login VTY_0-4 group tacacs+ local enable
aaa authorization exec VTY_0-4 group tacacs+ local if-authenticated
line vty 0 4
authorization exec VTY_0-4
login authentication VTY_0-4
================================================
==============================================
== ROUTER CONFIG ABLE TO LOGIN WITH PRIV 15 ==
==============================================
aaa authentication login default group tacacs+ local enable
aaa authorization exec default group tacacs+ local if-authenticated
line vty 0 4
login authentication default
authorization exec default
================================================
June 4th, 2010 at 3:53 pm
Hello. I just installed a tacacs+ server on Ubuntu and I would like to test it without using the configuration of a Cisco router. Do you think that’s possible? I followed the steps from http://www.debian-administration.org/article/Network_Administration__Installation_of_Tacacs_Rancid_Cvsweb. I’m also interested on testing it on windows too if it’s possible without the routers config. Thank you.
June 6th, 2010 at 10:42 pm
Yes, you can test this without a Cisco router. The router is the TACACS client, so all you would need is a client that will run on your Ubuntu machine.
June 30th, 2010 at 12:04 pm
[...] The TACACS+ Windows executable can be downloaded from here. [...]