Citrix Branch Repeater Authentication with Cisco TACACS+

I have been looking about for documentation on how to configure TACACS authentication with a Citrix Branch Repeater, however so far I have only been able to find documentation for NetScaler. So I have setup a LAB and decided to write the documentation myself.

For those who cannot be bothered to read this post there is a video link at the bottom of this post with a walkthrough.



VMWARE Server Running Windows Server Standard 2003 SP2 + Trial Version of ACS3.2 from Cisco

ESX Server 4.1 Running CitrixBranchRepeaterVPX-RC- Trial from Citrix via the VMWARE Virtual Appliance Marketplace.

ACS Server
Citrix Branch Repeater


Citrix Branch Repeater

This could not be easier. Simpler goto [Security]->[Manage Users]

  • Select the TACACS+ Authentication TAB
  • Click the Checkbox [Enable TACACS+ Authentication]
  • Enter your ACS IP Address [Your ACS IP address]
  • Authntication port : [49] Default
  • Your Shared Secret :[Your Secret Key]
  • Use Encryption : [Checked by Default]

Click [Update]

ACS Sever

On Network Configuration

  • Click [Add Entry]
  • AAA Client Hostname : [A hostname, does not have to match the CBR]
  • AAA IP Address :[The actual IP address of the CBR]
  • Key :[Your Shared Secret]
  • Authenticate Using [TACACS+ (CiscoIOS) – Default
  • Other check boxes are left blank
  • Click [Submit+Restart]


If you already have a TACACS user account, try logging into the CBR and you should have read only access, so does anyone with a TACACS account apparently!


User Setup

Nothing special, except the user needs to be assigned to a group with EXEC access and level 15 privileges before they can have full admin access to the CBR.


Group setup

You need to:

  • Check [Shell (exec)]
  • Check [Privedge Level] and set to [15]
  • Click [submit + restart]

Note: You could also set this up against the individual user.


Logout and back into the CBR and now you should have full admin access.


Here is a video of how to do this.




I was not able to find any documentation on how to configure the Citrix Branch Repeater with Cisco’s TACACS+ so I have setup a lab and worked it out for myself. What I would say it that setting up EXEC mode and Priveledge 15 could break the way you currently logon to devices using TACACS+, so be careful.