Suppose you want to administer login ID and password information centrally for all routers. i.e your all routers get authentication from a central server.I am not saying that it is not possible to store all information locally on router but if you have a large number of routers,it is extremely time consuming to reconfigure all the routers for a password change or to simply add a new user.So instead of doing the time consuming work we use TACACS+ for AAA authentication.There is a huge benefit of using TACACS+ SERVER for authentication,one of them is that after using TACACS+ authentication none of information is stored on the router.
Whenever a user try to login inside router,the router automatically sends a query to the TACACS+ SERVER to verify the LOGIN CREDENTIALS.And hence it minimizes the configuration on each router and save your time. And, because this query is done each time, the information is always up to date.
When you configure AAA authentication on a router, it starts to ignore the locally configured passwords in favor of those provided by the TACACS+ server.
In this example, we have configured the router to consult TACACS+ for both the login and enable passwords.
This is a great labor saver because it means that you don’t have to reconfigure all of your routers just because you want to change passwords. Instead, because the passwords are stored on a central server, you can change them once, and the new passwords instantly propagate to all of your routers. If the router can’t reach the TACACS+ server due to a failure of either the network or the server, then it will resort to using the locally configured passwords.
LEARN HOW TO CONFIGURE TACACS+ SERVER:
STEP-1:NOW START CONFIGURING ROUTER:
R1(config)#line vty 0 15
STEP-2: NOW GO TO SERVER AND CONFIGURE TACACS+ ON IT:
STEP-3: NOW AGAIN LOGIN TO ROUTER and CONFIGURE IT TO TAKE IT’S LOGIN CREDENTIALS FROM ABOVE TACACS+ SERVER.
R1(config)#aaa authentication login default group tacacs+
R1(config)#aaa authentication enable default group tacacs+
R1(config)#tacacs-server host 220.127.116.11
R1(config)#tacacs-server key 123456789
STEP-4:NOW GO TO YOUR PC AND TELNET ROUTER,YOU WILL SEE IT WILL TAKE AUTHENTICATION FROM TACACS+ SERVER INSTEAD OF ITS OWN LOCAL DATABASE.
Packet Tracer PC Command Line 1.0
Trying 18.104.22.168 …Open
User Access Verification