其他文章：

Tacacs+协议原理

Tacacs+服务搭建与配置详解

Tacacs+各厂商交换机配置

Tacacs+协议交互报文抓包示例

Tacacs+双通道认证配置测试与总结

Tacacs+配置single-connection单连接模式证测试与总结

以下为整理的常见厂商的交换机tacacs+认证配置。

交换机配置Tacacs+认证思路

交换机全局开启Tacacs+认证
配置tacacs+认证模板，主要配置tacacs+认证的服务器地址，端口，密钥。
配置tacacs+的认证，授权，计费列表
全局内调用tacacs+认证方式
vty，console下调用tacacs+认证方式

华为交换机tacacs+认证配置

[Huawei]
# 开启tacacs认证
hwtacacs enable
# 配置tacacs认证模版
hwtacacs server template acs
 hwtacacs server authentication 192.168.147.135 49 shared-key tacacs@123
 hwtacacs server authorization 192.168.147.135 49 shared-key tacacs@123
 hwtacacs server accounting 192.168.147.135 49 shared-key tacacs@123
 hwtacacs server user-name domain-excluded
 hwtacacs server source-ip  192.168.147.136
 hwtacacs server timer response-timeout 3
# 配置本地用户
 aaa
 domain system #配置system域
 quit
 # 创建本地用户
 local-user admin password 
 local-user admin service-type terminal telnet ssh
 local-user admin level 3
 #
 authentication-scheme acs
  authentication-mode hwtacacs local
 #
 authorization-scheme acs
  authorization-mode hwtacacs local
  authorization-cmd 0 hwtacacs local
  authorization-cmd 1 hwtacacs local
  authorization-cmd 2 hwtacacs local
  authorization-cmd 3 hwtacacs local
  authorization-cmd 4 hwtacacs local
  authorization-cmd 5 hwtacacs local
  authorization-cmd 6 hwtacacs local
  authorization-cmd 7 hwtacacs local
  authorization-cmd 8 hwtacacs local
  authorization-cmd 9 hwtacacs local
  authorization-cmd 10 hwtacacs local
  authorization-cmd 11 hwtacacs local
  authorization-cmd 12 hwtacacs local
  authorization-cmd 13 hwtacacs local
  authorization-cmd 14 hwtacacs local
  authorization-cmd 15 hwtacacs local
 #
 accounting-scheme acs
  accounting-mode hwtacacs
 #
 domain acs
  authentication-scheme acs
  authorization-scheme acs
  accounting-scheme acs
  hwtacacs server acs
 #
 recording-scheme acs
 #
 system recording-scheme acs
 #
 outbound recording-scheme acs
 #
 cmd recording-scheme acs
 default-domain admin acs
 #
# console接口下调用aaa认证
 user-interface con 0
 authentication-mode aaa
 idle-timeout 10 0
# vty接口下调用tacacs认证
user-interface vty 0 4
 acl 3900 inbound
 authentication-mode aaa
 user privilege level 3

华三交换机tacacs+认证配置

[H3C]
#开启ssh服务
 ssh server enable
#配置tacacs认证模板
hwtacacs scheme acs
 primary authentication 192.168.147.135 49 single-connection key simple tacacs@123
 primary authorization 192.168.147.135 49 single-connection key simple tacacs@123
 primary accounting 192.168.147.135 49 single-connection key csimple tacacs@123
 user-name-format without-domain
 timer response-timeout 3
 nas-ip 192.168.147.134
# 
domain acs
 authentication default hwtacacs-scheme acs local
 authorization default hwtacacs-scheme acs local
 accounting default hwtacacs-scheme acs local
# 
domain system
#全局下默认调用tacacs认证
 domain default enable acs
# 配置本地用户
local-user admin class manage
 password simple Admin@123
 service-type ssh terminal
 authorization-attribute user-role network-admin
 authorization-attribute user-role network-operator
# vty线路下调用tacacs认证
line vty 0 63 
 authentication-mode scheme
 user-role network-admin
 protocol inbound ssh
 command authorization
 command accounting

锐捷交换机tacacs+认证配置

Ruijie#
!创建本地用户
username admin privilege 15 password Admin@123
!启用aaa认证
aaa new-model
!配置tacacs认证模板
ip tacacs source-interface loopback 0 
tacacs-server host 192.168.147.135 port 49 key tacacs@123
！配置认证，授权，计费列表
aaa authentication login vty group tacacs+ local
aaa authorization exec execauth group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 2 default group tacacs+ local
aaa authorization commands 3 default group tacacs+ local
aaa authorization commands 4 default group tacacs+ local
aaa authorization commands 5 default group tacacs+ local
aaa authorization commands 6 default group tacacs+ local
aaa authorization commands 7 default group tacacs+ local
aaa authorization commands 8 default group tacacs+ local
aaa authorization commands 9 default group tacacs+ local
aaa authorization commands 10 default group tacacs+ local
aaa authorization commands 11 default group tacacs+ local
aaa authorization commands 12 default group tacacs+ local
aaa authorization commands 13 default group tacacs+ local
aaa authorization commands 14 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec execaccount start-stop group tacacs+
aaa accounting commands 0 commaccout start-stop group tacacs+
aaa accounting commands 1 commaccout start-stop group tacacs+
aaa accounting commands 2 commaccout start-stop group tacacs+
aaa accounting commands 3 commaccout start-stop group tacacs+
aaa accounting commands 4 commaccout start-stop group tacacs+
aaa accounting commands 5 commaccout start-stop group tacacs+
aaa accounting commands 6 commaccout start-stop group tacacs+
aaa accounting commands 7 commaccout start-stop group tacacs+
aaa accounting commands 8 commaccout start-stop group tacacs+
aaa accounting commands 9 commaccout start-stop group tacacs+
aaa accounting commands 10 commaccout start-stop group tacacs+
aaa accounting commands 11 commaccout start-stop group tacacs+
aaa accounting commands 12 commaccout start-stop group tacacs+
aaa accounting commands 13 commaccout start-stop group tacacs+
aaa accounting commands 14 commaccout start-stop group tacacs+
aaa accounting commands 15 commaccout start-stop group tacacs+
aaa authorization config-commands
！在vty线路下调用tacacs认证
line vty 0 15
 exec-timeout 60 0
 accounting exec execaccount
 accounting commands 0 commaccout
 accounting commands 1 commaccout
 accounting commands 2 commaccout
 accounting commands 3 commaccout
 accounting commands 4 commaccout
 accounting commands 5 commaccout
 accounting commands 6 commaccout
 accounting commands 7 commaccout
 accounting commands 8 commaccout
 accounting commands 9 commaccout
 accounting commands 10 commaccout
 accounting commands 11 commaccout
 accounting commands 12 commaccout
 accounting commands 13 commaccout
 accounting commands 14 commaccout
 accounting commands 15 commaccout
 authorization exec execauth
 login authentication vty

思科交换机tacacs+认证配置

Cisco#
! 开启tacacs认证
feature tacacs+
！配置本地用户
username admin password 0 Admin@123 role network-admin
！
ip domain-lookup
ip tacacs source-interface loopback0
tacacs-server timeout 3
tacacs-server host 192.168.147.135 key 0 tacacs@123 port 49
aaa group server tacacs+ tacacs-server
    server 192.168.147.135
! 全局调用tacacs认证
aaa authentication login default group tacacs-server local
aaa authentication login console local
aaa authorization config-commands default group tacacs-server local
aaa authorization commands default group tacacs-server local
aaa accounting default group tacacs-server

Arista交换机tacacs+认证配置

Arista#
!配置tacacs认证模板
tacacs-server timeout 3
tacacs-server host 192.168.147.135 port 49 key tacacs@123
!配置使用tacacs+认证，授权，计费
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authentication login console local
aaa authorization commands all default group tacacs+ local
aaa accounting commands all default start-stop group tacacs+
!
no aaa root
!配置本地用户
username admin privilege 15 role network-admin secret 0 Admin@123
!
ip tacacs source-interface Loopback0
！

如何绕过Tacacs+认证，使用本地认证？

华三交换机：

华三交换机在系统下默认有system域，可以通过在登陆时使用交换机本地用户加指定域来进行本地认证。

例如：交换机本地用户名为admin

即：ssh admin@system@x.x.x.x，输入本地用户密码即可绕过tacacs+认证。

华为交换机：

华为交换机默认系统下没有system域，如果配置了tacacs+认证服务器，那么只能通过使用tacacs+服务器来认证。如果想绕过tacacs+认证，需要提前在交换机上配置一个域来进行本地认证。

例如：在华为交换机下创建system域，在需要使用本地认证时，可使用本地用户名admin+域名进行本地认证，从而绕过tacacs+认证。

1 2	domain system #创建system域 ssh admin@system@x.x.x.x #输入本地用户密码即可绕过tacacs+认证。

锐捷交换机：

锐捷交换机在认证时，需要指定认证源，一般交换机认证会使用带内或带外认证。如果某一认证源接口与tacacs+服务器无法通信时，可使用交换机本地账号进行认证。输入本地用户密码即可在tacacs+认证失效的情况下通过本地认证。

1	ssh admin@x.x.x.x #输入本地用户密码即可在tacacs+认证失效的情况下通过本地认证。

目前锐捷设备新版本一般支持AAA认证检测并自动带内/带外切换

no ip tacacs source-interface mgmt 0，需要删除认证源接口。

> tacacs-server host oob 192.168.147.135 port 49 key XXX//首先采用带外通信
> tacacs-server host 192.168.147.135 port 49 key XXX//带外不通达到超时后，切换带内
> tacacs-server timeout 3  //必配，配置AAA server超时时间3秒，超时后切换
> tacacs-server deadtime 5  //必配，配置dead的AAA server 恢复的时间为5分钟。
>

Arista交换机：

Arista的交换机的认证同Ruijie交换机。

其他文章：

Tacacs+协议原理

Tacacs+服务搭建与配置详解

Tacacs+各厂商交换机配置

Tacacs+协议交互报文抓包示例

Tacacs+双通道认证配置测试与总结

Tacacs+配置single-connection单连接模式证测试与总结

参考资料：

https://support.huawei.com/hedex/hdx.do?docid=EDOC1100101225&lang=zh&idPath=24030814%7C21782165%7C21782236%7C22318638%7C7542409

http://www.h3c.com/cn/d_202004/1280734_30005_0.htm

https://www.arista.com/en/um-eos/eos-section-4-6-tacacs-configuration-examples

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_tacacs/configuration/xe-16/sec-usr-tacacs-xe-16-book/sec-cfg-tacacs.html