“TACACS+ is an Authentication, Authorization, and Accounting (AAA) protocol originally developed for the U.S. Department of Defense for authentication to network devices such as routers, switches, and firewalls. Unlike RADIUS, it separates the Authentication and Authorization functionalities, which makes it more flexible for administrative access. The current version of the protocol standard was developed by Cisco Systems.”
That gives you a good idea of what TACACS+ is used for. TACACS.net is freeware application which makes any Windows Server installation a TACACS+ server. I found that it made most sense to place the TACACS+ server on the Domain Controller since lookups can be done locally with the fastest speed but if your security model requires them to be separated, then you must stay in compliance and separate the roles by spinning up another Windows server.
Below is the configuration for using a TACACS.net Server with Cisco MDS Series Fabric Switches with Cisco Nexus 7000 Network Switches. Both the Nexus and MDS share the same NX-OS operating system at the core but require separation in the TACACS.net server. These have been tested and verified working! Enjoy!
Configuration files for TACACS.net
Download the configuration bundle, TACACS+ Configuration Bundle
Cisco Nexus 7K/5K & MDS 9124/9148 Configuration
ip domain-name northwind.lan ip name-server 10.10.10.1 10.10.10.2 feature tacacs+ tacacs-server key mds_preshared_key tacacs-server host tacacs-server-1.northwind.lan tacacs-server host tacacs-server-2.northwind.lan aaa group server tacacs+ san_admin server tacacs-server-1.northwind.lan server tacacs-server-2.northwind.lan exit aaa authentication login default group san_admin local tacacs+ enable
NOTE: The Nexus 7000 and the MDS series switches both run NX-OS, the commands are the same for the MDS series as it is for the Nexus series Cisco product lines. If you have an MDS switch running SAN-OS, the following commands will not work.
Cisco IOS Configuration
ip domain-name northwind.lan ip name-server 10.10.10.1 ip name-server 10.10.10.2 aaa new-model aaa authentication login default group network_admins local aaa authentication enable default group network_admins enable aaa authorization config-commands aaa authorization commands 0 default group network_admins none aaa authorization commands 1 default group network_admins none aaa authorization commands 15 default group network_admins none aaa accounting exec default start-stop group network_admins aaa accounting commands 15 default start-stop group network_admins tacacs-server host tacacs-server-1.northwind.lan key ios_preshared_key tacacs-server host tacacs-server-2.northwind.lan key ios_preshared_key