Berik Ashimov
Senior IT Engineer

RADIUS and TACACS+: Centralized Authentication for Network Devices

· 8 min read
#vyos #security

Managing users on 50 routers means changing passwords in 50 places. Someone leaves the company — 50 deletions. New hire — 50 accounts to create. Password policy change — 50 updates.

RADIUS and TACACS+ solve this. Users authenticate against a central server. Create once, authenticate everywhere. Revoke once, locked out everywhere.

At scale, central authentication is non-negotiable.

AAA Concepts

Authentication: Who are you? (username/password, keys) Authorization: What can you do? (privilege levels, commands) Accounting: What did you do? (logging, audit)

FeatureRADIUSTACACS+
PortUDP 1812/1813TCP 49
EncryptionPassword onlyFull packet
AuthorizationLimitedPer-command
Best forNetwork accessDevice management

For router management, TACACS+ is generally preferred because it supports per-command authorization.

RADIUS Configuration

Basic RADIUS Setup

Terminal window
configure


# Add RADIUS server
set system login radius server 10.0.0.100 key "RadiusSecretKey123"
set system login radius server 10.0.0.100 port 1812


# Optional: Set timeout and retries
set system login radius server 10.0.0.100 timeout 3


# Enable RADIUS authentication
set system login radius source-address 192.168.1.1


commit

Multiple RADIUS Servers

Terminal window
# Primary server
set system login radius server 10.0.0.100 key "RadiusKey"
set system login radius server 10.0.0.100 priority 1


# Backup server
set system login radius server 10.0.0.101 key "RadiusKey"
set system login radius server 10.0.0.101 priority 2


# Third server
set system login radius server 10.0.0.102 key "RadiusKey"
set system login radius server 10.0.0.102 priority 3


# VyOS tries servers in priority order

RADIUS with Local Fallback

Terminal window
# If RADIUS fails, fall back to local accounts
# Always keep at least one local admin account!


set system login user local-admin full-name "Emergency Local Admin"
set system login user local-admin authentication public-keys emergency key "..."
set system login user local-admin authentication public-keys emergency type ssh-ed25519


# Local accounts are tried after RADIUS fails

TACACS+ Configuration

Basic TACACS+ Setup

Terminal window
configure


# Add TACACS+ server
set system login tacacs server 10.0.0.100 key "TacacsSecretKey456"
set system login tacacs server 10.0.0.100 port 49


# Set source address
set system login tacacs source-address 192.168.1.1


commit

Multiple TACACS+ Servers

Terminal window
# Primary
set system login tacacs server 10.0.0.100 key "TacacsKey"
set system login tacacs server 10.0.0.100 priority 1


# Backup
set system login tacacs server 10.0.0.101 key "TacacsKey"
set system login tacacs server 10.0.0.101 priority 2


commit

TACACS+ Timeout

Terminal window
# Adjust timeout (default is usually fine)
set system login tacacs server 10.0.0.100 timeout 5

FreeRADIUS Server Setup

Install FreeRADIUS (Ubuntu/Debian)

Terminal window
apt update
apt install freeradius freeradius-utils

Configure Client (VyOS Router)

/etc/freeradius/3.0/clients.conf
client vyos-router {
    ipaddr = 192.168.1.1
    secret = RadiusSecretKey123
    shortname = vyos-main
}

Configure Users

/etc/freeradius/3.0/users
# Admin user
admin-user Cleartext-Password := "AdminPassword123"
    Service-Type = Administrative-User,
    Cisco-AVPair = "shell:priv-lvl=15"


# Operator user
operator-user Cleartext-Password := "OperatorPassword456"
    Service-Type = NAS-Prompt-User,
    Cisco-AVPair = "shell:priv-lvl=1"

Start FreeRADIUS

Terminal window
# Test configuration
freeradius -X  # Debug mode


# Start service
systemctl enable freeradius
systemctl start freeradius


# Test authentication
radtest admin-user AdminPassword123 localhost 0 testing123

TACACS+ Server Setup (tac_plus)

Install tac_plus

Terminal window
apt install tacacs+

Configure tac_plus

/etc/tacacs+/tac_plus.conf
key = "TacacsSecretKey456"


accounting file = /var/log/tac_plus.acct


user = admin-user {
    member = admins
    login = cleartext "AdminPassword123"
}


user = operator-user {
    member = operators
    login = cleartext "OperatorPassword456"
}


group = admins {
    default service = permit
    service = exec {
        priv-lvl = 15
    }
}


group = operators {
    default service = deny
    service = exec {
        priv-lvl = 1
    }
    cmd = show {
        permit .*
    }
    cmd = ping {
        permit .*
    }
    cmd = traceroute {
        permit .*
    }
}

Start tac_plus

Terminal window
systemctl enable tacacs+
systemctl start tacacs+

VyOS User Levels via AAA

RADIUS Attributes for VyOS

VyOS uses standard RADIUS attributes. To set privilege level:

Terminal window
# In FreeRADIUS users file
admin-user Cleartext-Password := "password"
    Service-Type = Administrative-User
# Maps to admin level


operator-user Cleartext-Password := "password"
    Service-Type = NAS-Prompt-User
# Maps to operator level

TACACS+ Privilege Levels

Terminal window
# In tac_plus.conf
service = exec {
    priv-lvl = 15  # Admin access
}


service = exec {
    priv-lvl = 1   # Operator access
}

Testing Authentication

Test from VyOS

Terminal window
# Try to SSH with RADIUS/TACACS user
ssh admin-user@vyos-router


# Check logs
show log | grep -i radius
show log | grep -i tacacs
show log | grep -i auth

Test from Server

Terminal window
# RADIUS test
radtest admin-user AdminPassword123 localhost 0 testing123


# TACACS+ test (requires test tool)
# Connect to VyOS and try login

Debug Authentication Issues

Terminal window
# On VyOS, check logs
show log | grep -i pam
show log | grep -i auth


# On RADIUS server (debug mode)
freeradius -X


# Common issues:
# - Wrong shared secret
# - Firewall blocking ports
# - Source address mismatch

Accounting Configuration

RADIUS Accounting

Terminal window
# RADIUS accounting sends session start/stop records
# Usually configured on RADIUS server side


# Check accounting logs on server
cat /var/log/radius/radacct/*/detail-*

TACACS+ Accounting

Terminal window
# tac_plus logs commands
# Accounting file location in tac_plus.conf:
accounting file = /var/log/tac_plus.acct


# View accounting log
tail -f /var/log/tac_plus.acct

High Availability Setup

Primary/Backup with Health Check

Terminal window
# Configure multiple servers
set system login radius server 10.0.0.100 priority 1
set system login radius server 10.0.0.101 priority 2


# VyOS automatically fails over if primary unavailable

Geographic Distribution

Terminal window
# Datacenter 1
set system login radius server 10.1.0.100 priority 1


# Datacenter 2
set system login radius server 10.2.0.100 priority 2


# Local cache doesn't exist - ensure server availability

Local Fallback (Critical)

Terminal window
# ALWAYS keep local emergency account
set system login user emergency-admin authentication public-keys key "..."
set system login user emergency-admin level admin


# If ALL RADIUS/TACACS servers fail, local accounts work

Integration with LDAP/AD

RADIUS/TACACS+ can proxy to LDAP/Active Directory:

FreeRADIUS with LDAP

/etc/freeradius/3.0/mods-enabled/ldap
ldap {
    server = 'ldap.example.com'
    port = 389
    identity = 'cn=radius,dc=example,dc=com'
    password = ldap_password
    base_dn = 'dc=example,dc=com'


    user {
        base_dn = "ou=users,${..base_dn}"
        filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
    }
}

Group-Based Access

Terminal window
# Map LDAP groups to VyOS levels
# In FreeRADIUS:


DEFAULT Ldap-Group == "network-admins"
    Service-Type = Administrative-User


DEFAULT Ldap-Group == "network-operators"
    Service-Type = NAS-Prompt-User

Security Best Practices

Secure Shared Secrets

Terminal window
# Use strong secrets (32+ characters)
# Different secret per device (ideally)
# Store secrets in vault, not text files

Network Security

Terminal window
# TACACS+ port
set firewall ipv4 name MGMT-OUT rule 100 action accept
set firewall ipv4 name MGMT-OUT rule 100 destination port 49
set firewall ipv4 name MGMT-OUT rule 100 destination address 10.0.0.100
set firewall ipv4 name MGMT-OUT rule 100 protocol tcp


# RADIUS ports
set firewall ipv4 name MGMT-OUT rule 110 action accept
set firewall ipv4 name MGMT-OUT rule 110 destination port 1812-1813
set firewall ipv4 name MGMT-OUT rule 110 destination address 10.0.0.100
set firewall ipv4 name MGMT-OUT rule 110 protocol udp

Encrypt Traffic

Terminal window
# TACACS+ encrypts full packet (preferred)
# RADIUS only encrypts password (use with caution over untrusted networks)


# Consider:
# - VPN between router and AAA server
# - Dedicated management network
# - IPsec protected links

Troubleshooting

Authentication Fails

Terminal window
# 1. Verify connectivity
ping 10.0.0.100


# 2. Check ports
nc -zv 10.0.0.100 49      # TACACS+
nc -zvu 10.0.0.100 1812   # RADIUS


# 3. Check VyOS logs
show log | grep -i auth


# 4. Check server logs
# RADIUS: /var/log/freeradius/radius.log
# TACACS+: /var/log/tac_plus.log


# 5. Test locally on server
radtest user pass localhost 0 testing123

Server Unreachable

Terminal window
# Check source address configuration
show configuration commands | grep source-address


# Verify routing
show ip route 10.0.0.100


# Check firewall rules
show firewall

The Lesson

At scale, central authentication is non-negotiable.

With local accounts:

  • Employee leaves → update 50 routers
  • Password breach → rotate on 50 routers
  • New hire → create on 50 routers
  • Audit → check 50 routers

With central AAA:

  • Employee leaves → disable one account
  • Password breach → one place to update
  • New hire → one account creation
  • Audit → one central log

The setup takes a few hours. The ongoing management saves hundreds of hours per year.

Requirements:

  1. Redundancy: Multiple AAA servers
  2. Fallback: Local emergency account always
  3. Logging: Central accounting for audit
  4. Security: Encrypted protocols, strong secrets

Don’t run production network devices with only local accounts. Central authentication is infrastructure, not luxury.