This document describes how to configure Terminal Access Controller
Access Control System (TACACS+) in a Nexus 4000 series switch. The TACACS+
authentication varies slightly in the Nexus 4000 series than a Cisco Catalyst
Cisco recommends that you have knowledge of this topic:
Nexus 7000 Series NX-OS Fundamentals Commands.
The information in this document is based on these software and
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Refer to the
Technical Tips Conventions for information on document
The configuration example in this section describes how to configure a
Nexus 4005I switch and a TACACS+ server.
Complete these steps in order to configure the Nexus switch and the
Enable TACACS+ protocol feature.
The IP address of the ACS server must be configured with the
preshared key. If there are more than one ACS server, both hosts must be
Enable the AAA concept and the AAA server group.
In this configuration example, the name of the AAA group name is
!--- Enable TACACS+ on the device.
tacacs-server host 10.0.0.1 key 7 Cisco
tacacs-server host 10.0.0.2 key 7 Cisco
!--- Provide the name of your ACS server.
aaa group server tacacs+ ACS
!--- Mention the IP address of the tacacs-servers
!--- referred to in the "tacacs-server host" command.
!--- Telnet and ssh sessions.
aaa authentication login default group ACS local
!--- Console sessions.
aaa authentication login console group ACS local
!--- Accounting command.
aaa accounting default group ACS
Note: Use the same preshared key "Cisco" in the ACS server for
authentication between the Nexus 4000 series and ACS server.
Note: If the TACACS+ server is down, you can fall back to authenticate
locally by configuring the user name and password in the switch.
The Nexus operating system does not use the concept of
privilege levels instead it uses
roles. By default you are placed in the
network-operator role. If you want a user to have full
permissions, you must place them in the network-admin
role, and you must configure the TACACS server to push down an attribute when
the user logs in. For TACACS+, you pass back a TACACS custom attribute with a
value of roles="roleA". For a full access user,
* makes it optional)
Use the commands in this section in order to verify the TACACS+ server
Output Interpreter Tool
(registered customers only)
(OIT) supports certain
show commands. Use the OIT to view an analysis of
show command output.
There is currently no specific troubleshooting information available
for this configuration.