Table Of Contents
tacacs-server directed-request
test aaa authorization command-type
T Commands
This chapter describes the Cisco NX-OS security commands that begin with T.
tacacs+ abort
To discard a TACACS+ Cisco Fabric Services (CFS) distribution session in progress, use the tacacs+ abort command.
tacacs+ abort
Syntax Description
This command has no arguments or keywords.
Defaults
None.
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, TACACS+ must be enabled using the feature tacacs+ command.
This command does not require a license.
Examples
This example shows how to discard a TACACS+ CFS distribution session in progress:
switch# config terminalswitch(config)# tacacs+ abortRelated Commands
Command Descriptionfeature tacacs+
Enables TACACS+.
show tacacs+
Displays TACACS+ CFS distribution status and other details.
tacacs+ distribute
Enables CFS distribution for TACACS+.
tacacs+ commit
To apply the pending configuration pertaining to the TACACS+ Cisco Fabric Services (CFS) distribution session in progress in the fabric, use the tacacs+ commit command.
tacacs+ commit
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-admin
VDC userCommand History
Usage Guidelines
To use this command, TACACS+ must be enabled using the feature tacacs+ command.
Before committing the TACACS+ configuration to the fabric, all switches in the fabric must have distribution enabled using the tacacs+ distribute command.
CFS does not distribute the TACACS+ server group configurations, periodic TACACS+ server testing configurations, or server and global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices.
This command does not require a license.
Examples
This example shows how to apply a TACACS+ configuration to the switches in the fabric.
switch# config terminalswitch(config)# tacacs+ commitRelated Commands
Command Descriptionfeature tacacs+
Enables TACACS+.
show tacacs+
Displays TACACS+ CFS distribution status and other details.
tacacs+ distribute
Enables CFS distribution for TACACS+.
tacacs+ distribute
To enable Cisco Fabric Services (CFS) distribution for TACACS+, use the tacacs+ distribute command. To disable this feature, use the no form of the command.
tacacs+ distribute
no tacacs+ distribute
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-admin
VDC userCommand History
Usage Guidelines
To use this command, TACACS+ must be enabled using the feature tacacs+ command.
CFS does not distribute the TACACS+ server group configurations, periodic TACACS+ server testing configurations, or server and global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices.
This command does not require a license.
Examples
This example shows how to enable TACACS+ fabric distribution:
switch# config terminalswitch(config)# tacacs+ distributeRelated Commands
Command Descriptionfeature tacacs+
Enables TACACS+.
show tacacs+
Displays TACACS+ CFS distribution status and other details.
tacacs-server deadtime
To set a periodic time interval where a nonreachable (nonresponsive) TACACS+ server is monitored for responsiveness, use the tacacs-server deadtime command. To disable the monitoring of the nonresponsive TACACS+ server, use the no form of this command.
tacacs-server deadtime minutes
no tacacs-server deadtime minutes
Syntax Description
Defaults
0 minutes
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
Setting the time interval to zero disables the timer. If the dead-time interval for an individual TACACS+ server is greater than zero (0), that value takes precedence over the value set for the server group.
When the dead-time interval is 0 minutes, TACACS+ server monitoring is not performed unless the TACACS+ server is part of a server group and the dead-time interval for the group is greater than 0 minutes.
You must use the feature tacacs+ command before you configure TACACS+.
This command does not require a license.
Examples
This example shows how to configure the dead-time interval and enable periodic monitoring:
switch# configure terminalswitch(config)# tacacs-server deadtime 10
This example shows how to revert to the default dead-time interval and disable periodic monitoring:
switch# configure terminalswitch(config)# no tacacs-server deadtime 10
Related Commands
Command Descriptiondeadtime
Sets a dead-time interval for monitoring a nonresponsive TACACS+ server.
show tacacs-server
Displays TACACS+ server information.
feature tacacs+
Enables TACACS+.
tacacs-server directed-request
To allow users to send authentication requests to a specific TACACS+ server when logging in, use the tacacs-server directed request command. To revert to the default, use the no form of this command.
tacacs-server directed-request
no tacacs-server directed-request
Syntax Description
This command has no arguments or keywords.
Defaults
Sends the authentication request to the configured TACACS+ server groups
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
The user can specify the username@vrfname:hostname during login, where vrfname is the virtual routing and forwarding (VRF) name to use and hostname is the name of a configured TACACS+ server. The username is sent to the server name for authentication.
Note If you enable the directed-request option, the Cisco NX-OS device uses only the RADIUS method for authentication and not the default local method.
This command does not require a license.
Examples
This example shows how to allow users to send authentication requests to a specific TACACS+ server when logging in:
switch# configure terminalswitch(config)# tacacs-server directed-requestThis example shows how to disallow users to send authentication requests to a specific TACACS+ server when logging in:
switch# configure terminalswitch(config)# no tacacs-server directed-requestRelated Commands
Command Descriptionshow tacacs-server directed request
Displays a directed request TACACS+ server configuration.
feature tacacs+
Enables TACACS+.
tacacs-server host
To configure TACACS+ server host parameters, use the tacacs-server host command. To revert to the defaults, use the no form of this command.
tacacs-server host {hostname | ipv4-address | ipv6-address}
[key [0 | 7] shared-secret] [port port-number]
[test {idle-time time | password password | username name}]
[timeout seconds]no tacacs-server host {hostname | ipv4-address | ipv6-address}
[key [0 | 7] shared-secret] [port port-number]
[test {idle-time time | password password | username name}]
[timeout seconds]Syntax Description
Defaults
Idle time: disabled
Server monitoring: disabled
Timeout: 1 second.
Test username: test
Test password: test
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.
This command does not require a license.
Examples
This example shows how to configure TACACS+ server host parameters:
switch# configure terminalswitch(config)# tacacs-server host 10.10.2.3 key HostKeyswitch(config)# tacacs-server host tacacs2 key 0 abcdswitch(config)# tacacs-server host tacacs3 key 7 1234switch(config)# tacacs-server host 10.10.2.3 test idle-time 10switch(config)# tacacs-server host 10.10.2.3 test username testerswitch(config)# tacacs-server host 10.10.2.3 test password 2B9ka5Related Commands
Command Descriptionshow tacacs-server
Displays TACACS+ server information.
feature tacacs+
Enables TACACS+.
tacacs-server key
To configure a global TACACS+ shared secret key, use the tacacs-server key command. To removed a configured shared secret, use the no form of this command.
tacacs-server key [0 | 6 | 7] shared-secret
no tacacs-server key [0 | 6 | 7] shared-secret
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must configure the TACACS+ preshared key to authenticate the device to the TACACS+ server. The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all TACACS+ server configurations on the device. You can override this global key assignment by using the key keyword in the tacacs-server host command.
You must use the feature tacacs+ command before you configure TACACS+.
This command does not require a license.
Examples
The following example shows how to configure TACACS+ server shared keys:
switch# configure terminalswitch(config)# tacacs-server key AnyWordswitch(config)# tacacs-server key 0 AnyWordswitch(config)# tacacs-server key 7 publicRelated Commands
Command Descriptionshow tacacs-server
Displays TACACS+ server information.
feature tacacs+
Enables TACACS+.
tacacs-server test
To monitor the availability of all TACACS+ servers without having to configure the test parameters for each server individually, use the tacacs-server test command. To disable this configuration, use the no form of this command.
tacacs-server test {idle-time time | password password | username name}
no tacacs-server test {idle-time time | password password | username name}
Syntax Description
Defaults
Server monitoring: Disabled
Idle time: 0 minutes
Test username: test
Test password: testCommand Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable TACACS+ authentication.
Any servers for which test parameters are not configured are monitored using the global level parameters.
Test parameters that are configured for individual servers take precedence over global test parameters.
When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.
This command does not require a license.
Examples
This example shows how to configure the parameters for global TACACS+ server monitoring:
switch# configure terminalswitch(config)# tacacs-server test username user1 password Ur2Gd2BH idle-time 3Related Commands
tacacs-server timeout
To specify the time between retransmissions to the TACACS+ servers, use the tacacs-server timeout command. To revert to the default, use the no form of this command.
tacacs-server timeout seconds
no tacacs-server timeout seconds
Syntax Description
Defaults
1 second
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
This command does not require a license.
Examples
This example shows how to configure the TACACS+ server timeout value:
switch# configure terminalswitch(config)# tacacs-server timeout 3This example shows how to revert to the default TACACS+ server timeout value:
switch# configure terminalswitch(config)# no tacacs-server timeout 3Related Commands
Command Descriptionshow tacacs-server
Displays TACACS+ server information.
feature tacacs+
Enables TACACS+.
telnet
To create a Telnet session using IPv4 on the Cisco NX-OS device, use the telnet command.
telnet {ipv4-address | hostname} [port-number] [vrf vrf-name]
Syntax Description
Defaults
Port 23
Default VRF
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Telnet server using the feature telnet command.
To create a Telnet session with IPv6 addressing, use the telnet6 command.
The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions.
This command does not require a license.
Examples
This example shows how to start a Telnet session using an IPv4 address:
switch# telnet 10.10.1.1 vrf managementRelated Commands
Command Descriptionclear line
Clears Telnet sessions.
telnet6
Creates a Telnet session using IPv6 addressing.
feature telnet
Enables the Telnet server.
telnet server enable
To enable the Telnet server for a virtual device context (VDC), use the telnet server enable command. To disable the Telnet server, use the no form of this command.
telnet server enable
no telnet server enable
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Release Modification4.1(2)
This command was deprecated and replaced with the feature telnet command.
4.0(1)
This command was introduced.
Usage Guidelines
This command does not require a license.
Examples
This example shows how to enable the Telnet server:
switch# configure terminalswitch(config)# telnet server enableThis example shows how to disable the Telnet server:
switch# configure terminalswitch(config)# no telnet server enableXML interface to system may become unavailable since ssh is disabledRelated Commands
telnet6
To create a Telnet session using IPv6 on the Cisco NX-OS device, use the telnet6 command.
telnet6 {ipv6-address | hostname} [port-number] [vrf vrf-name]
Syntax Description
Defaults
Port 23
Default VRF
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Telnet server using the feature telnet command.
To create a Telnet session with IPv4 addressing, use the telnet command.
The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions.
This command does not require a license.
Examples
This example shows how to start a Telnet session using an IPv6 address:
switch# telnet6 2001:0DB8:0:0:E000::F vrf managementRelated Commands
Command Descriptionclear line
Clears Telnet sessions.
telnet
Creates a Telnet session using IPv4 addressing.
feature telnet
Enables the Telnet server.
terminal verify-only
To enable command authorization verification on the command-line interface (CLI), use the terminal verify-only command. To disable this feature, use the no form of this command.
terminal verify-only [username username]
terminal no verify-only [username username]
Syntax Description
Defaults
Disabled
The default for the username keyword is the current user session.
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
When you enable command authorization verification, the CLI indicates if the command is successfully authorized for the user but does not execute the command.
The command authorization verification uses the methods configured in the aaa authorization commands default command and the aaa authorization config-commands default command.
This command does not require a license.
Examples
This example shows how to enable command authorization verification:
switch# terminal verify-onlyThis example shows how to disable command authorization verification:
switch# terminal no verify-onlyRelated Commands
Command Descriptionaaa authorization commands default
Configures authorization for EXEC commands.
aaa authorization config-commands default
Configures authorization for configuration commands.
test aaa authorization command-type
To test the TACACS+ command authorization for a username, use the test aaa authorization command-type command.
test aaa authorization command-type {commands | config-commands} user username command command-string
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use the test aaa authorization command-type command, you must enable the TACACS+ feature using the feature tacacs+ command.
You must configure a TACACS+ group on the Cisco NX-OS device using the aaa server group command before you can test the command authorization.
This command does not require a license.
Examples
This example shows how to test the TACACS+ command authorization for a username:
switch# test aaa authorization command-type commands user testuser command "configure terminal"Related Commands
time-range
To configure a time range, use the time-range command. To remove a time range, use the no form of this command.
time-range time-range-name
no time-range time-range-name
Syntax Description
time-range-name
Name of the time range, which can be up to 64 alphanumeric, case-sensitive characters.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
You can use a time range in permit and deny commands for IPv4 and IPv6 ACLs.
Examples
This example shows how to use the time-range command and enter time range configuration mode:
switch# configure terminalswitch(config)# time-range workweek-vpn-accessswitch(config-time-range)#Related Commands
trustedCert
To configure the attribute name, search filter, and base-DN for the trusted certificate search operation in order to send a search query to the Lightweight Directory Access Protocol (LDAP) server, use the trustedCert command. To disable this configuration, use the no form of this command.
trustedCert attribute-name attribute-name search-filter filter base-DN base-DN-name
no trustedCert
Syntax Description
Defaults
None
Command Modes
LDAP search map configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable LDAP.
This command does not require a license.
Examples
This example shows how to configure the attribute name, search filter, and base-DN for the trusted certificate search operation in order to send a search query to the LDAP server:
switch# conf tswitch(config)# ldap search-map s0switch(config-ldap-search-map)# trustedCert attribute-name cACertificate search-filter (&(objectClass=certificationAuthority)) base-DN CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mdsldaptestlab,DC=comswitch(config-ldap-search-map)#Related Commands
Command Descriptionfeature ldap
Enables LDAP.
ldap search-map
Configures an LDAP search map.
show ldap-search-map
Displays the configured LDAP search maps.