Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 5.x
Configuring TACACS+
Downloads: This chapterpdf (PDF - 1.6MB) The complete bookPDF (PDF - 10.31MB) | The complete bookePub (ePub - 3.46MB) | The complete bookMobi (Mobi - 7.66MB) | Feedback

Configuring TACACS+

Contents

Configuring TACACS+

This chapter describes how to configure the Terminal Access Controller Access Control System Plus (TACACS+) protocol on Cisco NX-OS devices.

This chapter includes the following sections:

Information About TACACS+

The TACACS+ security protocol provides centralized validation of users attempting to gain access to a Cisco NX-OS device. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your Cisco NX-OS device are available.

TACACS+ provides for separate authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.

The TACACS+ client/server protocol uses TCP (TCP port 49) for transport requirements. Cisco NX-OS devices provide centralized authentication using the TACACS+ protocol.

TACACS+ Advantages

TACACS+ has the following advantages over RADIUS authentication:

  • Provides independent AAA facilities. For example, the Cisco NX-OS device can authorize access without authenticating.

  • Uses the TCP transport protocol to send data between the AAA client and server, making reliable transfers with a connection-oriented protocol.

  • Encrypts the entire protocol payload between the switch and the AAA server to ensure higher data confidentiality. The RADIUS protocol only encrypts passwords.

TACACS+ Operation for User Login

When a user attempts a Password Authentication Protocol (PAP) login to a Cisco NX-OS device using TACACS+, the following actions occur:


Note


TACACS+ allows an arbitrary conversation between the daemon and the user until the daemon receives enough information to authenticate the user. This action is usually done by prompting for a username and password combination, but may include prompts for other items, such as your mother’s maiden name.


  1. When the Cisco NX-OS device establishes a connection, it contacts the TACACS+ daemon to obtain the username and password.

  2. The Cisco NX-OS device will eventually receive one of the following responses from the TACACS+ daemon:

    ACCEPT
    User authentication succeeds and service begins. If the Cisco NX-OS device requires user authorization, authorization begins.
    REJECT
    User authentication failed. The TACACS+ daemon either denies further access to the user or prompts the user to retry the login sequence.
    ERROR
    An error occurred at some time during authentication either at the daemon or in the network connection between the daemon and the Cisco NX-OS device. If the Cisco NX-OS device receives an ERROR response, the Cisco NX-OS device tries to use an alternative method for authenticating the user.

    After authentication, the user also undergoes an additional authorization phase if authorization has been enabled on the NX-OS device. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization.

  3. If TACACS+ authorization is required, the Cisco NX-OS device again contacts the TACACS+ daemon and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes that are used to direct the EXEC or NETWORK session for that user and determines the services that the user can access.

    Services include the following:

    • Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services

    • Connection parameters, including the host or client IP address (IPv4 or IPv6), access list, and user timeouts

Default TACACS+ Server Encryption Type and Secret Key

You must configure the TACACS+ secret key to authenticate the switch to the TACACS+ server. A secret key is a secret text string shared between the Cisco NX-OS device and the TACACS+ server host. The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global secret key for all TACACS+ server configurations on the Cisco NX-OS device to use.

You can override the global secret key assignment by explicitly using the key option when configuring an individual TACACS+ server.

Command Authorization Support for TACACS+ Servers

By default, command authorization is done against a local database in the Cisco NX-OS software when an authenticated user enters a command at the command-line interface (CLI). You can also verify authorized commands for authenticated users using TACACS+.

TACACS+ Server Monitoring

An unresponsive TACACS+ server can delay the processing of AAA requests. A Cisco NX-OS device can periodically monitor a TACACS+ server to check whether it is responding (or alive) to save time in processing AAA requests. The Cisco NX-OS device marks unresponsive TACACS+ servers as dead and does not send AAA requests to any dead TACACS+ servers. A Cisco NX-OS device periodically monitors dead TACACS+ servers and brings them to the alive state once they are responding. This process verifies that a TACACS+ server is in a working state before real AAA requests are sent its way. Whenever a TACACS+ server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco NX-OS device displays an error message that a failure is taking place before it can impact performance.

Figure 1. TACACS+ Server States. This figure shows the server states for TACACS+ server monitoring.


Note


The monitoring interval for alive servers and dead servers are different and can be configured by the user. The TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+ server.


TACACS+ Configuration Distribution

Cisco Fabric Services (CFS) allows the Cisco NX-OS device to distribute the TACACS+ configuration and privilege roles to other Cisco NX-OS devices in the network. When you enable CFS distribution for a feature on your device, the device belongs to a CFS region containing other devices in the network that you have also enabled for CFS distribution for the feature. CFS distribution for TACACS+ is disabled by default.


Note


You must explicitly enable CFS for TACACS+ on each device to which you want to distribute configuration changes.


After you enable CFS distribution for TACACS+ on your Cisco NX-OS device, the first TACACS+ configuration command that you enter causes the Cisco NX-OS software to take the following actions:

  • Creates a CFS session on your Cisco NX-OS device.

  • Locks the TACACS+ configuration on all Cisco NX-OS devices in the CFS region with CFS enabled for TACACS+.

  • Saves the TACACS+ configuration changes in a temporary buffer on the Cisco NX-OS device.

The changes stay in the temporary buffer on the Cisco NX-OS device until you explicitly commit them to be distributed to the devices in the CFS region. When you commit the changes, the Cisco NX-OS software takes the following actions:

  • Applies the changes to the running configuration on your Cisco NX-OS device.

  • Distributes the updated TACACS+ configuration to the other Cisco NX-OS devices in the CFS region.

  • Unlocks the TACACS+ configuration in the devices in the CFS region.

  • Terminates the CFS session.

CFS does not distribute the TACACS+ server group configuration, periodic TACACS+ server testing configurations, or server and global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices.

For detailed information on CFS, see the Cisco Nexus 7000 Series NX-OS System Management Configuration Guide.

Vendor-Specific Attributes for TACACS+

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the TACACS+ server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use.

Cisco VSA Format for TACACS+

The Cisco TACACS+ implementation supports one vendor-specific option using the format recommended in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:

protocol : attribute separator value *

The protocol is a Cisco attribute for a particular type of authorization, the separator is = (equal sign) for mandatory attributes, and * (asterisk) indicates optional attributes.

When you use TACACS+ servers for authentication on a Cisco NX-OS device, the TACACS+ protocol directs the TACACS+ server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs.

The following VSA protocol options are supported by the Cisco NX-OS software:

Shell
Protocol used in access-accept packets to provide user profile information.
Accounting
Protocol used in accounting-request packets. If a value contains any white spaces, you should enclose the value within double quotation marks.

The Cisco NX-OS software supports the following attributes:

roles

Lists all the roles to which the user belongs. The value field is a string that lists the role names delimited by white space. For example, if the user belongs to roles network-operator and vdc-admin, the value field would be network-operator vdc-admin. This subattribute, which the TACACS+ server sends in the VSA portion of the Access-Accept frames, can only be used with the shell protocol value. The following examples show the roles attribute as supported by Cisco ACS:

shell:roles=network-operator vdc-admin 

shell:roles*network-operator vdc-admin


Note


When you specify a VSA as shell:roles*"network-operator vdc-admin", this VSA is flagged as an optional attribute and other Cisco devices ignore this attribute.


accountinginfo
Stores accounting information in addition to the attributes covered by a standard TACACS+ accounting protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the TACACS+ client on the switch. It can be used only with the accounting protocol data units (PDUs).

Virtualization Support for TACACS+

TACACS+ configuration and operation are local to the virtual device context (VDC). For more information on VDCs, see the Cisco Nexus 7000 Series NX-OS Virtual Device Context Configuration Guide.

The Cisco NX-OS device uses virtual routing and forwarding instances (VRFs) to access the TACACS+ servers. For more information on VRFs, see the Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide.

Licensing Requirements for TACACS+

The following table shows the licensing requirements for this feature:

Product

License Requirement

Cisco NX-OS

TACACS+ requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you.

For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.

Prerequisites for TACACS+

TACACS+ has the following prerequisites:

  • Obtain the IPv4 or IPv6 addresses or hostnames for the TACACS+ servers.

  • Obtain the secret keys from the TACACS+ servers, if any.

  • Ensure that the Cisco NX-OS device is configured as a TACACS+ client of the AAA servers.

Guidelines and Limitations for TACACS+

TACACS+ has the following guidelines and limitations:

  • You can configure a maximum of 64 TACACS+ servers on the Cisco NX-OS device.

  • If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.

  • Cisco recommends that you configure the dead-time interval if more than six servers are configured in a group. If you must configure more than six servers, make sure to set the dead-time interval to a value greater than 0 and enable dead server monitoring by configuring the test username and test password.

  • For Cisco NX-OS Releases 4.x and 5.x, command authorization on TACACS+ servers is available only for non-console sessions. If you use a console to login to the server, command authorization is disabled.

Default Settings for TACACS+

This table lists the default settings for TACACS+ parameters.

Table 1  Default TACACS+ Parameters Settings

Parameters

Default

TACACS+

Disabled

Dead timer interval

0 minutes

Timeout interval

5 seconds

Idle timer interval

0 minutes

Periodic server monitoring username

test

Periodic server monitoring password

test

Privilege level support for TACACS+ authorization

Disabled

Configuring TACACS+

This section describes how to configure TACACS+ on a Cisco NX-OS device.


Note


If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.


TACACS+ Server Configuration Process


Step 1   Enable TACACS+.
Step 2   If needed, enable CFS configuration distribution for TACACS+.
Step 3   Establish the TACACS+ server connections to the Cisco NX-OS device.
Step 4   Configure the secret keys for the TACACS+ servers.
Step 5   If needed, configure TACACS+ server groups with subsets of the TACACS+ servers for AAA authentication methods.
Step 6   (Optional) Configure the TCP port.
Step 7   (Optional) If needed, configure periodic TACACS+ server monitoring.
Step 8   (Optional) If TACACS+ distribution is enabled, commit the TACACS+ configuration to the fabric.

Enabling TACACS+

By default, the TACACS+ feature is disabled on the Cisco NX-OS device. You must explicitly enable the TACACS+ feature to access the configuration and verification commands for authentication.

SUMMARY STEPS

    1.    configure terminal

    2.    feature tacacs+

    3.    exit

    4.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 feature tacacs+


Example:
switch(config)# feature tacacs+
 

Enables TACACS+.

 
Step 3 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 4 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Configuring TACACS+ Server Hosts

To access a remote TACACS+ server, you must configure the IP address or the hostname for the TACACS+ server on the Cisco NX-OS device. You can configure up to 64 TACACS+ servers.


Note


By default, when you configure a TACACS+ server IP address or hostname on the Cisco NX-OS device, the TACACS+ server is added to the default TACACS+ server group. You can also add the TACACS+ server to another TACACS+ server group.


Before You Begin

Enable TACACS+.

Obtain the IPv4 or IPv6 addresses or the hostnames for the remote TACACS+ servers.

SUMMARY STEPS

    1.    configure terminal

    2.    tacacs-server host {ipv4-address | ipv6-address | host-name}

    3.    (Optional) show tacacs+ {pending | pending-diff}

    4.    (Optional) tacacs+ commit

    5.    exit

    6.    (Optional) show tacacs-server

    7.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 tacacs-server host {ipv4-address | ipv6-address | host-name}


Example:
switch(config)# tacacs-server host 10.10.2.2
 

Specifies the IPv4 or IPv6 address or hostname for a TACACS+ server.

 
Step 3 show tacacs+ {pending | pending-diff}


Example:
switch(config)# show tacacs+ pending
 
(Optional)

Displays the TACACS+ configuration pending for distribution.

 
Step 4 tacacs+ commit


Example:
switch(config)# tacacs+ commit
 
(Optional)

Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes TACACS+ configuration to other NX-OS devices if you have enabled CFS configuration distribution for the user role feature.

 
Step 5 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 6 show tacacs-server


Example:
switch# show tacacs-server
 
(Optional)

Displays the TACACS+ server configuration.

 
Step 7 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Configuring Global TACACS+ Keys

You can configure secret TACACS+ keys at the global level for all servers used by the Cisco NX-OS device. A secret key is a shared secret text string between the Cisco NX-OS device and the TACACS+ server hosts.


Note


CFS does not distribute the TACACS+ global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices.
Before You Begin

Enable TACACS+.

Obtain the secret key values for the remote TACACS+ servers.

SUMMARY STEPS

    1.    configure terminal

    2.    tacacs-server key [0 | 6 | 7] key-value

    3.    exit

    4.    (Optional) show tacacs-server

    5.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 tacacs-server key [0 | 6 | 7] key-value


Example:
switch(config)# tacacs-server key 0 QsEfThUkO
 

Specifies a TACACS+ key for all TACACS+ server. You can specify that the key-value is in clear text format (0), is type-6 encrypted (6), or is type-7 encrypted (7). The Cisco NX-OS software encrypts a clear text key before saving it to the running configuration. The default format is clear text. The maximum length is 63 characters.

By default, no secret key is configured.

 
Step 3 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 4 show tacacs-server


Example:
switch# show tacacs-server
 
(Optional)

Displays the TACACS+ server configuration.

Note   

The secret keys are saved in encrypted form in the running configuration. Use the show running-config command to display the encrypted secret keys.

 
Step 5 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Configuring a Key for a Specific TACACS+ Server

You can configure secret keys for a TACACS+ server. A secret key is a shared secret text string between the Cisco NX-OS device and the TACACS+ server host.


Note


CFS does not distribute the TACACS+ server keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices.
Before You Begin

Enable TACACS+.

Obtain the secret key values for the remote TACACS+ servers.

SUMMARY STEPS

    1.    configure terminal

    2.    tacacs-server host {ipv4-address | ipv6-address | host-name} key [0 | 6 | 7] key-value

    3.    exit

    4.    (Optional) show tacacs-server

    5.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 tacacs-server host {ipv4-address | ipv6-address | host-name} key [0 | 6 | 7] key-value


Example:
switch(config)# tacacs-server host 10.10.1.1 key 0 PlIjUhYg
 

Specifies a secret key for a specific TACACS+ server. You can specify that the key-value is in clear text format (0), is type-6 encrypted (6), or is type-7 encrypted (7). The Cisco NX-OS software encrypts a clear text key before saving it to the running configuration. The default format is clear text. The maximum length is 63 characters.

This secret key is used instead of the global secret key.

 
Step 3 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 4 show tacacs-server


Example:
switch# show tacacs-server
 
(Optional)

Displays the TACACS+ server configuration.

Note   

The secret keys are saved in encrypted form in the running configuration. Use the show running-config command to display the encrypted secret keys.

 
Step 5 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Configuring TACACS+ Server Groups

You can specify one or more remote AAA servers to authenticate users using server groups. All members of a group must belong to the TACACS+ protocol. The servers are tried in the same order in which you configure them.

You can configure these server groups at any time but they only take effect when you apply them to an AAA service.


Note


CFS does not distribute the TACACS+ server group configuration.
Before You Begin

Enable TACACS+.

SUMMARY STEPS

    1.    configure terminal

    2.    aaa group server tacacs+ group-name

    3.    server {ipv4-address | ipv6-address | host-name}

    4.    exit

    5.    (Optional) show tacacs-server groups

    6.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 aaa group server tacacs+ group-name


Example:
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)#
 

Creates a TACACS+ server group and enters the TACACS+ server group configuration mode for that group.

 
Step 3 server {ipv4-address | ipv6-address | host-name}


Example:
switch(config-tacacs+)# server 10.10.2.2
 

Configures the TACACS+ server as a member of the TACACS+ server group.

If the specified TACACS+ server is not found, configure it using the tacacs-server host command and retry this command.

 
Step 4 exit


Example:
switch(config-tacacs+)# exit
switch(config)#
 

Exits TACACS+ server group configuration mode.

 
Step 5 show tacacs-server groups


Example:
switch(config)# show tacacs-server groups
 
(Optional)

Displays the TACACS+ server group configuration.

 
Step 6 copy running-config startup-config


Example:
switch(config)# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Configuring the Global Source Interface for TACACS+ Server Groups

You can configure a global source interface for TACACS+ server groups to use when accessing TACACS+ servers. You can also configure a different source interface for a specific TACACS+ server group. By default, the Cisco NX-OS software uses any available interface.

SUMMARY STEPS

    1.    configure terminal

    2.    ip tacacs source-interface interface

    3.    exit

    4.    (Optional) show tacacs-server

    5.    (Optional) copy running-config startup config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)
 

Enters global configuration mode.

 
Step 2 ip tacacs source-interface interface


Example:
switch(config)# ip tacacs source-interface mgmt 0
 

Configures the global source interface for all TACACS+ server groups configured on the device.

 
Step 3exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 4 show tacacs-server


Example:
switch# show tacacs-server
 
(Optional)

Displays the TACACS+ server configuration information.

 
Step 5 copy running-config startup config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Allowing Users to Specify a TACACS+ Server at Login

You can configure the switch to allow the user to specify which TACACS+ server to send the authentication request by enabling the directed-request option. By default, a Cisco NX-OS device forwards an authentication request based on the default AAA authentication method. If you enable this option, the user can log in as username@vrfname:hostname, where vrfname is the VRF to use and hostname is the name of a configured TACACS+ server.


Note


If you enable the directed-request option, the Cisco NX-OS device uses only the TACACS+ method for authentication and not the default local method.



Note


User-specified logins are supported only for Telnet sessions.


Before You Begin

Enable TACACS+.

SUMMARY STEPS

    1.    configure terminal

    2.    tacacs-server directed-request

    3.    (Optional) show tacacs+ {pending | pending-diff}

    4.    (Optional) tacacs+ commit

    5.    exit

    6.    (Optional) show tacacs-server directed-request

    7.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 tacacs-server directed-request


Example:
switch(config)# tacacs-server directed-request
 

Allows users to specify a TACACS+ server to send the authentication request when logging in. The default is disabled.

 
Step 3 show tacacs+ {pending | pending-diff}


Example:
switch(config)# show tacacs+ pending
 
(Optional)

Displays the pending TACACS+ configuration.

 
Step 4 tacacs+ commit


Example:
switch(config)# tacacs+ commit
 
(Optional)

Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes TACACS+ configuration to other NX-OS devices if you have enabled CFS configuration distribution for the user role feature.

 
Step 5 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 6 show tacacs-server directed-request


Example:
switch# show tacacs-server directed-request
 
(Optional)

Displays the TACACS+ directed request configuration.

 
Step 7 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Configuring the Global TACACS+ Timeout Interval

You can set a global timeout interval that the device waits for responses from all TACACS+ servers before declaring a timeout failure. The timeout interval determines how long the device waits for responses from TACACS+ servers before declaring a timeout failure.

Before You Begin

Enable TACACS+.

SUMMARY STEPS

    1.    From the Feature Selector pane, choose Security > AAA > Server Groups.

    2.    From the Summary pane, double-click the device to display the server groups.

    3.    Click Default TACACS Server Group.

    4.    From the Details pane, click the Global Settings tab.

    5.    In the Time out(secs) field, enter the number of seconds for the timeout interval.

    6.    From the menu bar, choose File > Deploy to apply your changes to the device.


DETAILED STEPS
Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
Step 2   From the Summary pane, double-click the device to display the server groups.
Step 3   Click Default TACACS Server Group.
Step 4   From the Details pane, click the Global Settings tab.
Step 5   In the Time out(secs) field, enter the number of seconds for the timeout interval. The default is 5 seconds.
Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

Configuring the Timeout Interval for a TACACS+ Server

You can set a timeout interval that the Cisco NX-OS device waits for responses from a TACACS+ server before declaring a timeout failure. The timeout interval determines how long the Cisco NX-OS device waits for responses from a TACACS+ server before declaring a timeout failure.

Before You Begin

Enable TACACS+.

SUMMARY STEPS

    1.    configure terminal

    2.    tacacs-server host {ipv4-address | ipv6-address | host-name} timeout seconds

    3.    (Optional) show tacacs+ {pending | pending-diff}

    4.    (Optional) tacacs+ commit

    5.    exit

    6.    (Optional) show tacacs-server

    7.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 tacacs-server host {ipv4-address | ipv6-address | host-name} timeout seconds


Example:
switch(config)# tacacs-server host server1 timeout 10
 

Specifies the timeout interval for a specific server. The default is the global value.

Note   

The timeout interval value specified for a TACACS+ server overrides the global timeout interval value specified for all TACACS+ servers.

 
Step 3 show tacacs+ {pending | pending-diff}


Example:
switch(config)# show tacacs+ pending
 
(Optional)

Displays the TACACS+ configuration pending for distribution.

 
Step 4 tacacs+ commit


Example:
switch(config)# tacacs+ commit
 
(Optional)

Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes the TACACS+ configuration to other Cisco NX-OS devices if you have enabled CFS configuration distribution for the user role feature.

 
Step 5 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 6 show tacacs-server


Example:
switch# show tacacs-server
 
(Optional)

Displays the TACACS+ server configuration.

 
Step 7 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Configuring TCP Ports

You can configure another TCP port for the TACACS+ servers if there are conflicts with another application. By default, Cisco NX-OS devices use port 49 for all TACACS+ requests.

Before You Begin

Enable TACACS+.

SUMMARY STEPS

    1.    configure terminal

    2.    tacacs-server host {ipv4-address | ipv6-address | host-name} port tcp-port

    3.    (Optional) show tacacs+ {pending | pending-diff}

    4.    (Optional) tacacs+ commit

    5.    exit

    6.    (Optional) show tacacs-server

    7.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 tacacs-server host {ipv4-address | ipv6-address | host-name} port tcp-port


Example:
switch(config)# tacacs-server host 10.10.1.1 port 2
 

Specifies the TCP port to use for TACACS+ messages to the server. The default TCP port is 49. The range is from 1 to 65535.

 
Step 3 show tacacs+ {pending | pending-diff}


Example:
switch(config)# show tacacs+ distribution pending
 
(Optional)

Displays the TACACS+ configuration pending for distribution.

 
Step 4 tacacs+ commit


Example:
switch(config)# tacacs+ commit
 
(Optional)

Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes TACACS+ configuration to other NX-OS devices if you have enabled CFS configuration distribution for the user role feature.

 
Step 5 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 6 show tacacs-server


Example:
switch# show tacacs-server
 
(Optional)

Displays the TACACS+ server configuration.

 
Step 7 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Configuring Global Periodic TACACS+ Server Monitoring

You can monitor the availability of all TACACS+ servers without having to configure the test parameters for each server individually. Any servers for which test parameters are not configured are monitored using the global level parameters.


Note


Test parameters that are configured for individual servers take precedence over global test parameters.


The global configuration parameters include the username and password to use for the servers and an idle timer. The idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco NX-OS device sends out a test packet. You can configure this option to test servers periodically, or you can run a one-time only test.


Note


The test parameters are distributed across switches running Cisco NX-OS Release 5.x or later. If even one switch in the fabric is running an older release, the test parameters are not distributed to any switch in the fabric.



Note


To protect network security, we recommend that you use a username that is not the same as an existing username in the TACACS+ database.



Note


The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.


Before You Begin

Enable TACACS+.

SUMMARY STEPS

    1.    configure terminal

    2.    tacacs-server test {idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]}

    3.    tacacs-server dead-time minutes

    4.    exit

    5.    (Optional) show tacacs-server

    6.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 tacacs-server test {idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]}


Example:
switch(config)# tacacs-server test username user1 password Ur2Gd2BH idle-time 3
 

Specifies parameters for global server monitoring. The default username is test, and the default password is test. The default value for the idle timer is 0 minutes, and the valid range is from 0 to 1440 minutes.

Note   

For periodic TACACS+ server monitoring, the idle timer value must be greater than 0.

 
Step 3 tacacs-server dead-time minutes


Example:
switch(config)# tacacs-server dead-time 5
 

Specifies the number of minutes before the Cisco NX-OS device checks a TACACS+ server that was previously unresponsive. The default value is 0 minutes, and the valid range is from 0 to 1440 minutes.

 
Step 4 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 5 show tacacs-server


Example:
switch# show tacacs-server
 
(Optional)

Displays the TACACS+ server configuration.

 
Step 6 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Configuring Periodic TACACS+ Server Monitoring on Individual Servers

You can monitor the availability of individual TACACS+ servers. The configuration parameters include the username and password to use for the server and an idle timer. The idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco NX-OS device sends out a test packet. You can configure this option to test servers periodically, or you can run a one-time only test.


Note


Test parameters that are configured for individual servers take precedence over global test parameters.



Note


To protect network security, we recommend that you use a username that is not the same as an existing username in the TACACS+ database.



Note


The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.



Note


The test parameters are distributed across switches running Cisco NX-OS Release 5.x. If even one switch in the fabric is running an older release, the test parameters are not distributed to any switch in the fabric.


Before You Begin

Enable TACACS+.

Add one or more TACACS+ server hosts.

SUMMARY STEPS

    1.    configure terminal

    2.    tacacs-server host {ipv4-address | ipv6-address | host-name} test {idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]}

    3.    tacacs-server dead-time minutes

    4.    exit

    5.    (Optional) show tacacs-server

    6.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 tacacs-server host {ipv4-address | ipv6-address | host-name} test {idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]}


Example:
switch(config)# tacacs-server host 10.10.1.1 test username user1 password Ur2Gd2BH idle-time 3
 

Specifies parameters for individual server monitoring. The default username is test, and the default password is test. The default value for the idle timer is 0 minutes, and the valid range is from 0 to 1440 minutes.

Note   

For periodic TACACS+ server monitoring, the idle timer value must be greater than 0.

 
Step 3 tacacs-server dead-time minutes


Example:
switch(config)# tacacs-server dead-time 5
 

Specifies the number of minutes before the Cisco NX-OS device checks a TACACS+ server that was previously unresponsive. The default value is 0 minutes, and the valid range is from 0 to 1440 minutes.

 
Step 4 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 5 show tacacs-server


Example:
switch# show tacacs-server
 
(Optional)

Displays the TACACS+ server configuration.

 
Step 6 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Configuring the TACACS+ Dead-Time Interval

You can configure the dead-time interval for all TACACS+ servers. The dead-time interval specifies the time that the Cisco NX-OS device waits, after declaring a TACACS+ server is dead, before sending out a test packet to determine if the server is now alive.


Note


When the dead-timer interval is 0 minutes, TACACS+ servers are not marked as dead even if they are not responding. You can configure the dead-timer per group.


Before You Begin

Enable TACACS+.

SUMMARY STEPS

    1.    configure terminal

    2.    tacacs-server deadtime minutes

    3.    (Optional) show tacacs+ {pending | pending-diff}

    4.    (Optional) tacacs+ commit

    5.    exit

    6.    (Optional) show tacacs-server

    7.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 tacacs-server deadtime minutes


Example:
switch(config)# tacacs-server deadtime 5
 

Configures the global dead-time interval. The default value is 0 minutes. The range is from 1 to 1440 minutes.

 
Step 3 show tacacs+ {pending | pending-diff}


Example:
switch(config)# show tacacs+ pending
 
(Optional)

Displays the pending TACACS+ configuration.

 
Step 4 tacacs+ commit


Example:
switch(config)# tacacs+ commit
 
(Optional)

Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes TACACS+ configuration to other NX-OS devices if you have enabled CFS configuration distribution for the user role feature.

 
Step 5 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 6 show tacacs-server


Example:
switch# show tacacs-server
 
(Optional)

Displays the TACACS+ server configuration.

 
Step 7 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Configuring ASCII Authentication

You can enable ASCII authentication on the TACACS+ server.

Before You Begin

Enable TACACS+.

SUMMARY STEPS

    1.    configure terminal

    2.    aaa authentication login ascii-authentication

    3.    (Optional) show tacacs+ {pending | pending-diff}

    4.    (Optional) tacacs+ commit

    5.    exit

    6.    (Optional) show tacacs-server

    7.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 aaa authentication login ascii-authentication


Example:
switch(config)# aaa authentication login ascii-authentication
 

Enables ASCII authentication. The default is disabled.

 
Step 3 show tacacs+ {pending | pending-diff}


Example:
switch(config)# show tacacs+ pending
 
(Optional)

Displays the pending TACACS+ configuration.

 
Step 4 tacacs+ commit


Example:
switch(config)# tacacs+ commit
 
(Optional)

Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes TACACS+ configuration to the other Cisco NX-OS devices if you have enabled CFS configuration distribution for the user role feature.

 
Step 5 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 6 show tacacs-server


Example:
switch# show tacacs-server
 
(Optional)

Displays the TACACS+ server configuration.

 
Step 7 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Configuring AAA Authorization on TACACS+ Servers

You can configure the default AAA authorization method for TACACS+ servers.

Before You Begin

Enable TACACS+.

SUMMARY STEPS

    1.    configure terminal

    2.    aaa authorization ssh-certificate default {group group-list [none] | local | none}

    3.    exit

    4.    (Optional) show aaa authorization [all]

    5.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 aaa authorization ssh-certificate default {group group-list [none] | local | none}


Example:
switch(config)# aaa authorization ssh-certificate 
default group TACACSServer1 TACACSServer2
 

Configures the default AAA authorization method for the TACACS+ servers.

The ssh-certificate keyword configures TACACS+ or local authorization with certificate authentication. The default authorization is local authorization, which is the list of authorized commands for the user’s assigned role.

The group-list argument consists of a space-delimited list of TACACS+ server group names. Servers belonging to this group are contacted for AAA authorization. The local method uses the local database for authorization, and the none method specifies that no AAA authorization be used.

 
Step 3 exit


Example:
switch(config)# exit
switch#
 

Exits global configuration mode.

 
Step 4 show aaa authorization [all]


Example:
switch# show aaa authorization
 
(Optional)

Displays the AAA authorization configuration. The all keyword displays the default values.

 
Step 5 copy running-config startup-config


Example:
switch# copy running-config 
startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Configuring Command Authorization on TACACS+ Servers

You can configure authorization for commands on TACACS+ servers.


Caution


Command authorization disables user role-based authorization control (RBAC), including the default roles.



Note


For Cisco NX-OS Releases 4.x and 5.x, command authorization is available only for non-console sessions. If you use a console to login to the server, command authorization is disabled.

Note


By default, context sensitive help and command tab completion show only the commands supported for a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.


Before You Begin

Enable TACACS+.

SUMMARY STEPS

    1.    configure terminal

    2.    aaa authorization {commands | config-commands} default

    3.    (Optional) show tacacs+ {pending | pending-diff}

    4.    (Optional) tacacs+ commit

    5.    exit

    6.    (Optional) show aaa authorization [all]

    7.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 aaa authorization {commands | config-commands} default


Example:
switch(config)# aaa authorization commands 
default group TacGroup
Per command authorization will disable RBAC for all 
users. Proceed (y/n)? 
 

Configures the command authorization method for specific roles on a TACACS+ server.

The commands keyword configures authorization sources for all EXEC commands, and the config-commands keyword configures authorization sources for all configuration commands.

The default keyword configures command authorization for a non-console session.

The group-list argument consists of a space-delimited list of TACACS+ server group names. Servers belonging to this group are contacted for command authorization. The local method uses the local role-based database for authorization.

The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method. The default method is local.

If you have not configured a fallback method after the TACACS+ server group method, authorization fails if all server groups fail to respond.

If you press Enter at the confirmation prompt, the default action is n.

 
Step 3 show tacacs+ {pending | pending-diff}


Example:
switch(config)# show tacacs+ pending
 
(Optional)

Displays the pending TACACS+ configuration.

 
Step 4 tacacs+ commit


Example:
switch(config)# tacacs+ commit
 
(Optional)

Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes TACACS+ configuration to other Cisco NX-OS devices if you have enabled CFS configuration distribution for the user role feature.

 
Step 5 exit


Example:
switch(config)# exit
switch#
 

Exits global configuration mode.

 
Step 6 show aaa authorization [all]


Example:
switch(config)# show aaa authorization
 
(Optional)

Displays the AAA authorization configuration. The all keyword displays the default values.

 
Step 7 copy running-config startup-config


Example:
switch(config)# copy running-config 
startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Testing Command Authorization on TACACS+ Servers

You can test the command authorization for a user on the TACACS+ servers.


Note


You must send correct commands for authorization or else the results may not be reliable.


Before You Begin

Enable TACACS+.

Ensure that you have configured command authorization for the TACACS+ servers.

SUMMARY STEPS

    1.    test aaa authorization command-type {commands | config-commands} user username command command-string


DETAILED STEPS
 Command or ActionPurpose
Step 1 test aaa authorization command-type {commands | config-commands} user username command command-string


Example:
switch# test aaa authorization command-type commands 
user TestUser command reload
 

Tests a user's authorization for a command on the TACACS+ servers.

The commands keyword specifies only EXEC commands and the config-commands keyword specifies only configuration commands.

Note   

Put double quotes (") before and after the command-string argument if it contains spaces.

 

Enabling and Disabling Command Authorization Verification

You can enable and disable command authorization verificaiton on the command-line interface (CLI) for the default user session or for another username.


Note


The commands do no execute when you enable authorization verification.


SUMMARY STEPS

    1.    terminal verify-only [username username]

    2.    terminal no verify-only [username username]


DETAILED STEPS
 Command or ActionPurpose
Step 1 terminal verify-only [username username]


Example:
switch# terminal verify-only
 

Enables command authorization verification. After you enter this command, the Cisco NX-OS software indicates whether the commands you enter are authorized or not.

 
Step 2 terminal no verify-only [username username]


Example:
switch# terminal no verify-only
 

Disables command authorization verification.

 

Configuring Privilege Level Support for Authorization on TACACS+ Servers

You can configure privilege level support for authorization on TACACS+ servers.

Unlike Cisco IOS devices, which use privilege levels to determine authorization, Cisco NX-OS devices use role-based access control (RBAC). To enable both types of devices to be administered by the same TACACS+ servers, you can map the privilege levels configured on TACACS+ servers to user roles configured on Cisco NX-OS devices.

When a user authenticates with a TACACS+ server, the privilege level is obtained and used to form a local user role name of the format “priv-n,” where n is the privilege level. The user assumes the permissions of this local role. Sixteen privilege levels, which map directly to corresponding user roles, are available. The following table shows the user role permissions that correspond to each privilege level.

Privilege Level User Role Permissions
15 network-admin permissions
14 vdc-admin permissions
13 - 1
  • Standalone role permissions, if the feature privilege command is disabled.

  • Same permissions as privilege level 0 with cumulative privileges for roles, if the feature privilege command is enabled.

0 Permission to execute show commands and exec commands (such as ping, trace, and ssh).

Note


When the feature privilege command is enabled, privilege roles inherit the permissions of lower level privilege roles.



Note


You must also configure the privilege level for the Cisco NX-OS device on the Cisco Secure Access Control Server (ACS). See the documentation at the following URL:

http:/​/​www.cisco.com/​en/​US/​products/​sw/​secursw/​ps5338/​products_​installation_​and_​configuration_​guides_​list.html


SUMMARY STEPS

    1.    configure terminal

    2.    [no] feature privilege

    3.    [no] enable secret [0 | 5] password [priv-lvl priv-lvl | all]

    4.    [no] username username priv-lvl n

    5.    (Optional) show privilege

    6.    (Optional) copy running-config startup-config

    7.    exit

    8.    enable level


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2[no] feature privilege


Example:
switch(config)# feature privilege
 

Enables or disables the cumulative privilege of roles. Users can see the enable command only if this feature is enabled. The default is disabled.

 
Step 3[no] enable secret [0 | 5] password [priv-lvl priv-lvl | all]


Example:
switch(config)# enable secret 5 def456 priv-lvl 15
 

Enables or disables a secret password for a specific privilege level. Users are prompted to enter the correct password upon each privilege level escalation. The default is disabled.

You can enter 0 to specify that the password is in clear text or 5 to specify that the password is in encrypted format. The password argument can be up to 64 alphanumeric characters. The priv-lvl argument is from 1 to 15.

Note    To enable the secret password, you must have enabled the cumulative privilege of roles by entering the feature privilege command.
 
Step 4 [no] username username priv-lvl n


Example:
switch(config)# username user2 priv-lvl 15
 
 

Enables or disables a user to use privilege levels for authorization. The default is disabled.

The priv-lvl keyword specifies the privilege level to which the user is assigned. There is no default privilege level. Privilege levels 0 to 15 (priv-lvl 0 to priv-lvl 15) map to user roles priv-0 to priv-15.

 
Step 5 show privilege


Example:
switch(config)# show privilege
 
(Optional)

Displays the username, current privilege level, and status of cumulative privilege support.

 
Step 6 copy running-config startup-config


Example:
switch(config)# copy running-config 
startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 
Step 7exit


Example:
switch(config)# exit
switch#
 

Exits global configuration mode.

 
Step 8enable level


Example:
switch# enable 15
 

Enables a user to move to a higher privilege level. This command prompts for the secret password. The level argument specifies the privilege level to which the user is granted access. The only available level is 15.

 

Permitting or Denying Commands for Users of Privilege Roles

As a network administrator, you can modify the privilege roles to permit users to execute specific commands or to prevent users from running those commands.

You must follow these guidelines when changing the rules of privilege roles:
  • You cannot modify the priv-14 and priv-15 roles.

  • You can add deny rules only to the priv-0 role.

  • These commands are always permitted for the priv-0 role: configure, copy, dir, enable, ping, show, ssh, telnet, terminal, traceroute, end, and exit.

SUMMARY STEPS

    1.    configure terminal

    2.    [no] role name priv-n

    3.    rule number {deny | permit} command command-string

    4.    exit

    5.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 [no] role name priv-n


Example:
switch(config)# role name priv-5
switch(config-role)# 
 

Enables or disables a privilege role and enters role configuration mode. The n argument specifies the privilege level and is a number between 0 and 13.

 
Step 3 rule number {deny | permit} command command-string


Example:
switch(config-role)# rule 2 permit command pwd
 

Configures a command rule for users of privilege roles. These rules permit or deny users to execute specific commands. You can configure up to 256 rules for each role. The rule number determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.

The command-string argument can contain spaces.

Note    Repeat this command for as many rules as needed.
 
Step 4 exit


Example:
switch(config-role)# exit
switch(config)#
 

Exits role configuration mode.

 
Step 5 copy running-config startup-config


Example:
switch(config)# copy running-config 
startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Enabling TACACS+ Configuration Distribution

Only Cisco NX-OS devices that have distribution enabled can participate in the distribution of the TACACS+ configuration changes in the CFS region.

Before You Begin

Ensure that CFS distribution is enabled.

SUMMARY STEPS

    1.    configure terminal

    2.    tacacs+ distribute

    3.    exit

    4.    (Optional) show tacacs+ status

    5.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 tacacs+ distribute


Example:
switch(config)# tacacs+ distribute
 

Enables TACACS+ configuration distribution. The default is disabled.

 
Step 3 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 4 show tacacs+ status


Example:
switch(config)# show tacacs+ status
 
(Optional)

Displays the TACACS+ CFS distribution configuration.

 
Step 5 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Committing the TACACS+ Configuration to Distribution

You can apply the TACACS+ global and server configuration stored in the temporary buffer to the running configuration across all Cisco NX-OS devices in the fabric (including the originating device).

Before You Begin

Enable TACACS+.

SUMMARY STEPS

    1.    configure terminal

    2.    (Optional) show tacacs+ {pending | pending-diff}

    3.    tacacs+ commit

    4.    exit

    5.    (Optional) show tacacs+ distribution status

    6.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 show tacacs+ {pending | pending-diff}


Example:
switch(config)# show tacacs+ pending
 
(Optional)

Displays the TACACS+ configuration pending for distribution.

 
Step 3 tacacs+ commit


Example:
switch(config)# tacacs+ commit
 

Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes the TACACS+ configuration to other Cisco NX-OS devices if you have enabled CFS configuration distribution for the user role feature.

 
Step 4 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 5 show tacacs+ distribution status


Example:
switch(config)# show tacacs+ distribution status
 
(Optional)

Displays the TACACS distribution configuration and status.

 
Step 6 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Applies the running configuration to the startup configuration.

 

Discarding the TACACS+ Distribution Session

You can discard the temporary database of TACACS+ changes and end the CFS distribution session.

Before You Begin

Enable TACACS+.

SUMMARY STEPS

    1.    configure terminal

    2.    (Optional) show tacacs+ {pending | pending-diff}

    3.    tacacs+ abort

    4.    exit

    5.    (Optional) show tacacs+ distribution status


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 show tacacs+ {pending | pending-diff}


Example:
switch(config)# show tacacs+ pending
 
(Optional)

Displays the TACACS+ configuration pending for distribution.

 
Step 3 tacacs+ abort


Example:
switch(config)# tacacs+ abort
 

Discards the TACACS+ configuration in the temporary storage and ends the session.

 
Step 4 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 5 show tacacs+ distribution status


Example:
switch(config)# show tacacs+ distribution status
 
(Optional)

Displays the TACACS distribution configuration and status.

 

Clearing the TACACS+ Distribution Session

You can clear an active CFS distribution session and unlock TACACS+ configuration in the network.

Before You Begin

Enable TACACS+.

SUMMARY STEPS

    1.    clear tacacs+ session

    2.    (Optional) show tacacs+ distribution status


DETAILED STEPS
 Command or ActionPurpose
Step 1 clear tacacs+ session


Example:
switch# clear tacacs+ session
 

Clears the CFS session for TACACS+ and unlocks the fabric.

 
Step 2 show tacacs+ distribution status


Example:
switch(config)# show tacacs+ distribution status
 
(Optional)

Displays the TACACS distribution configuration and status.

 

Manually Monitoring TACACS+ Servers or Groups

You can manually issue a test message to a TACACS+ server or to a server group.

Before You Begin

Enable TACACS+.

SUMMARY STEPS

    1.    test aaa server tacacs+ {ipv4-address | ipv6-address | host-name} [vrf vrf-name] username password

    2.    test aaa group group-name username password


DETAILED STEPS
 Command or ActionPurpose
Step 1 test aaa server tacacs+ {ipv4-address | ipv6-address | host-name} [vrf vrf-name] username password


Example:
switch# test aaa server tacacs+ 10.10.1.1 user1 Ur2Gd2BH
 

Sends a test message to a TACACS+ server to confirm availability.

 
Step 2 test aaa group group-name username password


Example:
switch# test aaa group TacGroup user2 As3He3CI
 

Sends a test message to a TACACS+ server group to confirm availability.

 

Disabling TACACS+

You can disable TACACS+.


Caution


When you disable TACACS+, all related configurations are automatically discarded.


SUMMARY STEPS

    1.    configure terminal

    2.    no feature tacacs+

    3.    exit

    4.    (Optional) copy running-config startup-config


DETAILED STEPS
 Command or ActionPurpose
Step 1 configure terminal


Example:
switch# configure terminal
switch(config)#
 

Enters global configuration mode.

 
Step 2 no feature tacacs+


Example:
switch(config)# no feature tacacs+
 

Disables TACACS+.

 
Step 3 exit


Example:
switch(config)# exit
switch#
 

Exits configuration mode.

 
Step 4 copy running-config startup-config


Example:
switch# copy running-config startup-config
 
(Optional)

Copies the running configuration to the startup configuration.

 

Monitoring TACACS+ Servers

You can monitor the statistics that the Cisco NX-OS device maintains for TACACS+ server activity.

Before You Begin

Configure TACACS+ servers on the Cisco NX-OS device.

SUMMARY STEPS

    1.    show tacacs-server statistics {hostname | ipv4-address | ipv6-address}


DETAILED STEPS
 Command or ActionPurpose
Step 1 show tacacs-server statistics {hostname | ipv4-address | ipv6-address}


Example:
switch# show tacacs-server statistics 10.10.1.1
 

Displays the TACACS+ statistics.

 

Clearing TACACS+ Server Statistics

You can display the statistics that the Cisco NX-OS device maintains for TACACS+ server activity.

Before You Begin

Configure TACACS+ servers on the Cisco NX-OS device.

SUMMARY STEPS

    1.    (Optional) show tacacs-server statistics {hostname | ipv4-address | ipv6-address}

    2.    clear tacacs-server statistics {hostname | ipv4-address | ipv6-address}


DETAILED STEPS
 Command or ActionPurpose
Step 1 show tacacs-server statistics {hostname | ipv4-address | ipv6-address}


Example:
switch# show tacacs-server statistics 10.10.1.1
 
(Optional)

Displays the TACACS+ server statistics on the Cisco NX-OS device.

 
Step 2 clear tacacs-server statistics {hostname | ipv4-address | ipv6-address}


Example:
switch# clear tacacs-server statistics 10.10.1.1
 

Clears the TACACS+ server statistics.

 

Verifying the TACACS+ Configuration

To display the TACACS+ configuration, perform one of the following tasks:

Command

Purpose

show tacacs+ { status | pending | pending-diff}

Displays the TACACS+ Cisco Fabric Services distribution status and other details.

show running-config tacacs [all]

Displays the TACACS+ configuration in the running configuration.

show startup-config tacacs

Displays the TACACS+ configuration in the startup configuration.

show tacacs-server [host-name | ipv4-address | ipv6-address] [directed-request | groups | sorted | statistics]

Displays all configured TACACS+ server parameters.

show privilege

Displays the current privilege level, username, and status of cumulative privilege support.

For detailed information about the fields in the output from this command, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.

Configuration Examples for TACACS+

The following example shows how to configure a TACACS+ server host and server group:

feature tacacs+ 
tacacs-server key 7 "ToIkLhPpG" 
tacacs-server host 10.10.2.2 key 7 "ShMoMhTl" 
aaa group server tacacs+ TacServer
    server 10.10.2.2


The following example shows how to configure and use command authorization verification:

switch# terminal verify-only
switch# show interface ethernet 7/2 brief
%Success
switch# terminal no verify-only
switch# show interface ethernet 7/2 brief

--------------------------------------------------------------------------------
Ethernet      VLAN   Type Mode   Status  Reason                   Speed     Port
Interface                                                                   Ch #
--------------------------------------------------------------------------------
Eth7/2        1      eth  access down    SFP not inserted           auto(D) --


The following example shows how to enable the cumulative privilege of roles, configure a secret password for privilege level 2, and configure user3 for privilege level 2 authorization:

switch# configure terminal
switch(config)# feature privilege
switch(config)# enable secret def456 priv-lvl 2
switch(config)# username user3 priv-lvl 2
switch(config)# show privilege
User name: user3
Current privilege level: -2
Feature privilege: Enabled
switch(config)# copy running-config startup-config
switch(config)# exit



The following example shows how to change user3 from the priv-2 role to the priv-15 role. After entering the enable 15 command, the user is prompted to enter the password that was configured by the administrator using the enable secret command. Privilege level 15 gives this user network-admin privileges under the enable mode.

User Access Verification
login: user3
Password: ******
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright ©) 2002-2009, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
switch#
switch# enable 15
Password: def456
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright ©) 2002-2009, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
switch-enable# 


The following example shows how to permit all users with roles priv-5 and above to execute the pwd command:

switch# configure terminal
switch(config)# role name priv-5
switch(config-role)# rule 1 permit command pwd



The following example shows how to deny the show running-config command to all users with roles below priv-5. First, you must remove the permission to execute this command from the priv-0 role; then you must permit the command at role priv-5 so that users with roles priv-5 and above have permission to run the command.

switch# configure terminal
switch(config)# role name priv-0
switch(config-role)# rule 2 deny command show running-config
switch(config-role)# exit
switch(config)# role name priv-5
switch(config-role)# rule 3 permit command show running-config
switch(config-role)# exit



Where to Go Next

You can now configure AAA authentication methods to include the server groups.

Additional References for TACACS+

This section includes additional information related to implementing TACACS+.

Related Documents

Related Topic

Document Title

Cisco NX-OS licensing

Cisco NX-OS Licensing Guide

Command reference

Cisco Nexus 7000 Series NX-OS Security Command Reference

VRF configuration

Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide

Standards

Standards

Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

MIBs

MIBs

MIBs Link

  • CISCO-AAA-SERVER-MIB

  • CISCO-AAA-SERVER-EXT-MIB

To locate and download MIBs, go to the following URL:

http:/​/​www.cisco.com/​public/​sw-center/​netmgmt/​cmtk/​mibs.shtml

Feature History for TACACS+

This table lists the release history for this feature.

Table 2  Feature History for TACACS+

Feature Name

Releases

Feature Information

TACACS+

5.2(1)

Added type-6 encryption for TACACS+ server keys.

TACACS+

5.1(1)

No change from Release 5.0.

TACACS+ privilege-level authorization

5.0(2)

Added support for the mapping of privilege levels configured for users on the TACACS+ server to locally configured user roles on the Cisco NX-OS device.

Privilege roles

5.0(2)

Added support for permitting or denying commands for users of privilege roles.

Periodic server monitoring

5.0(2)

Added support for global periodic TACACS+ server monitoring.

AAA authorization

5.0(2)

Added support for configuring the default AAA authorization method for TACACS+ servers.