Proxying TACACS

Unanswered Question
Sep 2nd, 2008

I have a centralised ACS server running TACACS..

I want to set up a proxy server in a customer network, so their routers request TACACS authentication from this server.

However, I don't want any username/group details on this server, I want it to forward the request to our central ACS.

Do I need a full ACS application to do this on the customer server, or is there a cheap/free TACACS server that will just act as a proxy?

I've dug through the configs for the free Cisco TAC+ daemon, but it doesn't appear to do this...

Thanks in advance


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Jagdeep Gambhir Tue, 09/02/2008 - 05:29

Hi Neil,

Yes, we need to use full tacacs server to achieve it. Had this been radius we would have used some free radius but with tacas there is no option for cheap/free TACACS.



Do rate helpful posts

craig.eyre Tue, 09/02/2008 - 08:13

Hi JG,

I'm looking at doing this with radius and was wondering if you have any links or docs on how this is done. Eg. Free radius at the external site and then ACS in our internal network doing the authentication process.

Thanks for any help.


cisco24x7 Tue, 09/02/2008 - 08:26


I beg to differ with JG. I think it can be done. Here is what I would do:

1- configure a Freeware TACACS at the customer

site. This should run on a Linux platform.

2- setup the Linux box to do "port-forwarding"

on tcp port 49 to your ACS Server,

3- setup your ACS server to accept connections

from the customer's network devices.

In this scenario, the linux Freeware tacacs

server will serve like a "pass-through" or

"proxy" the connection to your ACS server.

That being said, I've never tried it on ACS

Server but I've tried it on Linux Freeware

tacacs server where both my "pass-through"

tacacs server and central tacacs server are

running Freeware tacacs+ server



This Discussion