Security Configuration Guide, Cisco DCNM for LAN, Release 6.x
Configuring TACACS+
Downloads: This chapterpdf (PDF - 635.0KB) The complete bookPDF (PDF - 4.66MB) | The complete bookePub (ePub - 1.6MB) | Feedback

Configuring TACACS+

Contents

Configuring TACACS+

This chapter describes how to configure the Terminal Access Controller Access Control System Plus (TACACS+) protocol on Cisco NX-OS devices.

This chapter includes the following sections:

Information About TACACS+

The TACACS+ security protocol provides centralized validation of users attempting to gain access to a Cisco NX-OS device. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your Cisco NX-OS device are available.

TACACS+ provides for separate authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.

The TACACS+ client/server protocol uses TCP (TCP port 49) for transport requirements. Cisco NX-OS devices provide centralized authentication using the TACACS+ protocol.

TACACS+ Advantages

TACACS+ has the following advantages over RADIUS authentication:

  • Provides independent AAA facilities. For example, the Cisco NX-OS device can authorize access without authenticating.
  • Uses the TCP transport protocol to send data between the AAA client and server, making reliable transfers with a connection-oriented protocol.
  • Encrypts the entire protocol payload between the switch and the AAA server to ensure higher data confidentiality. The RADIUS protocol only encrypts passwords.

TACACS+ Operation for User Login

When a user attempts a Password Authentication Protocol (PAP) login to a Cisco NX-OS device using TACACS+, the following actions occur:


Note


TACACS+ allows an arbitrary conversation between the daemon and the user until the daemon receives enough information to authenticate the user. This action is usually done by prompting for a username and password combination, but may include prompts for other items, such as your mother’s maiden name.


  1. When the Cisco NX-OS device establishes a connection, it contacts the TACACS+ daemon to obtain the username and password.
  2. The Cisco NX-OS device will eventually receive one of the following responses from the TACACS+ daemon:
    ACCEPT
    User authentication succeeds and service begins. If the Cisco NX-OS device requires user authorization, authorization begins.
    REJECT
    User authentication failed. The TACACS+ daemon either denies further access to the user or prompts the user to retry the login sequence.
    ERROR
    An error occurred at some time during authentication either at the daemon or in the network connection between the daemon and the Cisco NX-OS device. If the Cisco NX-OS device receives an ERROR response, the Cisco NX-OS device tries to use an alternative method for authenticating the user.
    After authentication, the user also undergoes an additional authorization phase if authorization has been enabled on the NX-OS device. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization.
  3. If TACACS+ authorization is required, the Cisco NX-OS device again contacts the TACACS+ daemon and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes that are used to direct the EXEC or NETWORK session for that user and determines the services that the user can access. Services include the following:
    • Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services
    • Connection parameters, including the host or client IP address (IPv4 or IPv6), access list, and user timeouts

Default TACACS+ Server Encryption Type and Secret Key

You must configure the TACACS+ secret key to authenticate the switch to the TACACS+ server. A secret key is a secret text string shared between the Cisco NX-OS device and the TACACS+ server host. The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global secret key for all TACACS+ server configurations on the Cisco NX-OS device to use.

You can override the global secret key assignment when configuring an individual TACACS+ server.

TACACS+ Server Monitoring

An unresponsive TACACS+ server can delay the processing of AAA requests. A Cisco NX-OS device can periodically monitor a TACACS+ server to check whether it is responding (or alive) to save time in processing AAA requests. The Cisco NX-OS device marks unresponsive TACACS+ servers as dead and does not send AAA requests to any dead TACACS+ servers. A Cisco NX-OS device periodically monitors dead TACACS+ servers and brings them to the alive state once they are responding. This process verifies that a TACACS+ server is in a working state before real AAA requests are sent its way. Whenever a TACACS+ server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco NX-OS device displays an error message that a failure is taking place before it can impact performance.

Figure 1. TACACS+ Server States. This figure shows the server states for TACACS+ server monitoring.


Note


The monitoring interval for alive servers and dead servers are different and can be configured by the user. The TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+ server.


TACACS+ Configuration Distribution

Cisco Fabric Services (CFS) allows the Cisco NX-OS device to distribute the TACACS+ configuration to other Cisco NX-OS devices in the network. When you enable CFS distribution for a feature on your device, the device belongs to a CFS region containing other devices in the network that you have also enabled for CFS distribution for the feature. CFS distribution for TACACS+ is disabled by default.


Note


You must explicitly enable CFS for TACACS+ on each device to which you want to distribute configuration changes.


After you enable CFS distribution for TACACS+ on your Cisco NX-OS device, the first TACACS+ configuration command that you enter causes the Cisco NX-OS software to take the following actions:

  • Creates a CFS session on your Cisco NX-OS device.
  • Locks the TACACS+ configuration on all Cisco NX-OS devices in the CFS region with CFS enabled for TACACS+.
  • Saves the TACACS+ configuration changes in a temporary buffer on the Cisco NX-OS device.

The changes stay in the temporary buffer on the Cisco NX-OS device until you explicitly commit them to be distributed to the devices in the CFS region. When you commit the changes, the Cisco NX-OS software takes the following actions:

  • Applies the changes to the running configuration on your Cisco NX-OS device.
  • Distributes the updated TACACS+ configuration to the other Cisco NX-OS devices in the CFS region.
  • Unlocks the TACACS+ configuration in the devices in the CFS region.
  • Terminates the CFS session.

CFS does not distribute the TACACS+ server group configuration, periodic TACACS+ server testing configurations, or server and global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices.

For detailed information on CFS, see the Cisco Nexus 7000 Series NX-OS System Management Configuration Guide.

Vendor-Specific Attributes for TACACS+

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the TACACS+ server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use.

Cisco VSA Format for TACACS+

The Cisco TACACS+ implementation supports one vendor-specific option using the format recommended in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:

protocol : attribute separator value *

The protocol is a Cisco attribute for a particular type of authorization, the separator is = (equal sign) for mandatory attributes, and * (asterisk) indicates optional attributes.

When you use TACACS+ servers for authentication on a Cisco NX-OS device, the TACACS+ protocol directs the TACACS+ server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs.

The following VSA protocol options are supported by the Cisco NX-OS software:

Shell
Protocol used in access-accept packets to provide user profile information.
Accounting
Protocol used in accounting-request packets. If a value contains any white spaces, you should enclose the value within double quotation marks.

The Cisco NX-OS software supports the following attributes:

roles

Lists all the roles to which the user belongs. The value field is a string that lists the role names delimited by white space. For example, if the user belongs to roles network-operator and vdc-admin, the value field would be network-operator vdc-admin. This subattribute, which the TACACS+ server sends in the VSA portion of the Access-Accept frames, can only be used with the shell protocol value. The following examples show the roles attribute as supported by Cisco ACS:

shell:roles=network-operator vdc-admin 

shell:roles*network-operator vdc-admin


Note


When you specify a VSA as shell:roles*"network-operator vdc-admin", this VSA is flagged as an optional attribute and other Cisco devices ignore this attribute.


accountinginfo
Stores accounting information in addition to the attributes covered by a standard TACACS+ accounting protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the TACACS+ client on the switch. It can be used only with the accounting protocol data units (PDUs).

Licensing Requirements for TACACS+

The following table shows the licensing requirements for this feature:

Product

License Requirement

Cisco DCNM

TACACS+ requires no license. Any feature not included in a license package is bundled with the Cisco DCNM and is provided at no charge to you. For an explanation of the Cisco DCNM licensing scheme, see the Cisco DCNM Installation and Licensing Guide, Release 5.x.

Cisco NX-OS

TACACS+ requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme for your platform, see the licensing guide for your platform.

Prerequisites for TACACS+

The following prerequisites are required for using this feature on Cisco DCNM. For a full list of feature-specific prerequisites, see the platform-specific documentation.

  • System-message logging levels for TACACS+ must meet or exceed Cisco DCNM requirements. During device discovery, Cisco DCNM detects inadequate logging levels and raises them to the minimum requirements. Cisco Nexus 7000 Series switches that run Cisco NX-OS Release 4.0 are an exception. For Cisco NX-OS Release 4.0, prior to device discovery, use the command-line interface to configure logging levels to meet or exceed Cisco DCNM requirements. For more information, see the Cisco DCNM Fundamentals Guide, Release 5.x.

Platform Support for TACACS+

The following platforms support this feature but may implement it differently. For platform-specific information, including guidelines and limitations, system defaults, and configuration limits, see the corresponding documentation.

Platform Documentation
Cisco Nexus 1000V Series Switches Cisco Nexus 1000V Series Switches Documentation
Cisco Nexus 3000 Series Switches Cisco Nexus 3000 Series Switches Documentation
Cisco Nexus 4000 Series Switches Cisco Nexus 4000 Series Switches Documentation
Cisco Nexus 5000 Series Switches Cisco Nexus 5000 Series Switches Documentation
Cisco Nexus 7000 Series Switches Cisco Nexus 7000 Series Switches Documentation

Configuring TACACS+

This section describes how to configure TACACS+ on a Cisco NX-OS device.


Note


If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.


TACACS+ Server Configuration Process

Procedure
    Step 1   Enable TACACS+.
    Step 2   Establish the TACACS+ server connections to the Cisco NX-OS device.
    Step 3   Configure the secret keys for the TACACS+ servers.
    Step 4   If needed, configure TACACS+ server groups with subsets of the TACACS+ servers for AAA authentication methods.
    Step 5   (Optional) Configure the TCP port.
    Step 6   (Optional) If needed, configure periodic TACACS+ server monitoring.

    Enabling TACACS+

    By default, the TACACS+ feature is disabled on the device. You must explicitly enable the TACACS+ feature to access the configuration and verification commands for authentication.

    Procedure
      Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
      Step 2   From the Summary pane, click the device.
      Step 3   From the menu bar, choose Actions > Enable TACACS.
      Step 4   From the menu bar, choose File > Deploy to apply your changes to the device.

      Related Tasks

      Adding a TACACS+ Server Host

      To access a remote TACACS+ server, you must add the TACACS+ server hosts and configure the IP address or the hostname for the TACACS+ server on the device. You can add up to 64 TACACS+ servers.


      Note


      By default, when you configure a TACACS+ server IP address or hostname on the Cisco NX-OS device, the TACACS+ server is added to the default TACACS+ server group. You can also add the TACACS+ server to another TACACS+ server group.


      Before You Begin

      Obtain the IPv4 or IPv6 addresses or the hostnames for the remote TACACS+ servers.

      Procedure
        Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
        Step 2   From the Summary pane, double-click the device to display the server groups.
        Step 3   Click Default TACACS Server Group.
        Step 4   From the menu bar, choose Actions > Add Server. The Server Details appears in the Details pane.
        Step 5   In the Server field, enter the TACACS+ server IPv4 address, IPv6 address, or hostname.
        Step 6   From the Server drop-down list, choose either the IPv4 address, IPv6 address, or hostname as the correct server identifier type.
        Note   

        If the server identifier format matches the identifier type selected, Cisco DCNM outlines the Server field in yellow to indicate that it is correct. If the server identifier format does not match the identifier type, Cisco DCNM outlines the Server field in red to indicate an error. Change the address or the address type to correct this problem.

        Step 7   (Optional) In the Authentication Port field, enter a new TCP port number or clear it to disable authentication. The default authentication TCP port is 49.
        Step 8   (Optional) In the Test area, you can enter a username, password, and idle time interval in minutes for periodic server host monitoring. The default username is test, the default password is test, and the default idle time interval is 0 minutes, which disables periodic monitoring.
        Step 9   From the menu bar, choose File > Deploy to apply your changes to the device.

        Related Tasks

        Copying a TACACS+ Server Host

        You can copy the configuration of a TACACS+ server host from one TACACS+ server to another server group, either on the same Cisco NX-OS device or on another Cisco NX-OS device.

        Before You Begin

        Ensure that you have configured the server in the default TACACS+ server group.

        Ensure that you have created the target TACACS+ server group.

        Procedure
          Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
          Step 2   From the Summary pane, double-click the device to display the server groups.
          Step 3   Double-click Default TACACS Server Group.

          The list of TACACS+ server hosts appears.

          Step 4   Click the TACACS+ server host you want to copy.
          Step 5   From the menu bar, choose Actions > Copy.

          The TACACS+ server host appears in the list of servers for the server group.

          Step 6   Click the destination TACACS+ server group.
          Note   

          You can copy the server host configuration to a server group within the same device or in another device.

          Step 7   From the menu bar, choose Actions > Paste.
          Step 8   From the menu bar, choose File > Deploy to apply your changes to the device.

          Deleting a TACACS+ Server Host

          You can delete a TACACS+ server host from a server group.

          Procedure
            Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
            Step 2   From the Summary pane, double-click the device to display the server groups.
            Step 3   Double-click the server group to display the list of server hosts.
            Step 4   Click the TACACS+ server host to delete.
            Step 5   From the menu bar, choose Actions > Delete Server and click Yes on the confirmation dialog. The TACACS+ server host disappears from the list.
            Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

            Configuring a Global TACACS+ Key

            You can configure secret keys at the global level for all servers used by the device. A secret key is a shared secret text string between the device and the TACACS+ server hosts.

            Before You Begin

            Obtain the secret key values for the remote TACACS+ servers.

            Procedure
              Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
              Step 2   From the Summary pane, double-click the device to display the server groups.
              Step 3   Click Default TACACS Server Group.
              Step 4   From the Details pane, click the Global Settings tab.
              Step 5   In the Key field, enter the secret key.
              Step 6   (Optional) Check Encrypt to encrypt the key. The default is clear text. The Cisco NX-OS software encrypts a clear text key before saving it to the running configuration.
              Step 7   From the menu bar, choose File > Deploy to apply your changes to the device.

              Configuring a Key for a Specific TACACS+ Server

              You can configure secret keys for a TACACS+ server. A secret key is a shared secret text string between the Cisco NX-OS device and the TACACS+ server host.

              Before You Begin

              Configure one or more TACACS+ server hosts.

              Obtain the secret key values for the remote TACACS+ servers.

              Procedure
                Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
                Step 2   From the Summary pane, double-click the device to display the server groups.
                Step 3   Double-click Default TACACS Server Group to display the list of TACACS+ servers.
                Step 4   Click the desired TACACS+ server.
                Step 5   From the Details pane, click the Server Details tab.
                Step 6   Check Override Defaults.
                Step 7   In the Key field, enter the secret key. The default is the global secret key.
                Step 8   (Optional) Check Encrypt to encrypt the key. The default is clear text.
                Step 9   From the menu bar, choose File > Deploy to apply your changes to the device.

                Adding a TACACS+ Server Group

                You can reference one or more remote AAA servers to authenticate users using server groups. All members of a group must belong to the TACACS+ protocol. The servers are tried in the same order in which you configure them.

                You can configure these server groups at any time but they only take effect when you apply them to an AAA service.

                Before You Begin

                Configure one or more TACACS+ server hosts.

                Procedure
                  Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
                  Step 2   From the Summary pane, click the device.
                  Step 3   From the menu bar, choose Actions > Add Server Group. A new line appears at the end of the server group list for the device and the Details tab appears in the Details pane.
                  Step 4   In the Server Group Name field, enter the name and press the Enter key. The server group name is a case-sensitive alphanumeric string with a maximum length of 127 characters.
                  Step 5   (Optional) In the Dead time(mins) field, enter the number of minutes for the dead-time interval. The default dead-time interval is 0 minutes.
                  Step 6   In the VRF Name field, click the down arrow to display the VRF Name dialog and click a VRF. Click OK.
                  Step 7   From the menu bar, choose File > Deploy to apply your changes to the device.

                  Related Tasks

                  Adding a TACACS+ Server Host to a TACACS+ Server Group

                  You can add a TACACS+ server host to a TACACS+ server group.

                  Before You Begin

                  Ensure that you have added the TACACS+ server host to the Default TACACS+ Server Group.

                  Procedure
                    Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
                    Step 2   From the Summary pane, double-click the device to display the server groups.
                    Step 3   Click a TACACS+ server group.
                    Step 4   From the menu bar, choose Actions > Add Server. The Server Details appear in the Details pane.
                    Step 5   In the Server field, enter the TACACS+ server IPv4 address, IPv6 address, or hostname.
                    Step 6   From the Server drop-down list, choose either the IPv4 address, IPv6 address, or hostname as the correct server identifier type.
                    Note   

                    If the server identifier format matches the identifier type selected, Cisco DCNM outlines the Server field in yellow to indicate that it is correct. If the server identifier format does not match the identifier type, Cisco DCNM outlines the Server field in red to indicate an error. Change the address or the address type to correct this problem.

                    Step 7   From the menu bar, choose File > Deploy to apply your changes to the device.

                    Deleting a TACACS+ Server Host from a TACACS+ Server Group

                    You can delete a TACACS+ server host from a TACACS+ server group.

                    Procedure
                      Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
                      Step 2   From the Summary pane, double-click the device to display the server groups.
                      Step 3   Double-click the server group to display the list of server hosts.
                      Step 4   Click the TACACS+ server host to delete.
                      Step 5   From the menu bar, choose Actions > Delete Server and click Yes on the confirmation dialog. The TACACS+ server host disappears from the list.
                      Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

                      Deleting a TACACS+ Server Group

                      You can delete a TACACS+ server group.

                      Procedure
                        Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
                        Step 2   From the Summary pane, double-click the device to display the list of server groups.
                        Step 3   Click the TACACS+ server group to delete.
                        Step 4   From the menu bar, choose Actions > Delete Server Group and click Yes in the confirmation dialog. The server group disappears from the server group list.
                        Step 5   From the menu bar, choose File > Deploy to apply your changes to the device.

                        Configuring the Global Source Interface for TACACS+ Server Groups

                        You can configure a global source interface for TACACS+ server groups to use when accessing TACACS+ servers. This configuration forces the TACACS+ servers to use the IP address of the source interface for all outgoing TACACS+ packets. By default, the Cisco NX-OS software uses any available interface.

                        Before You Begin

                        Make sure that you are in the correct VDC.

                        Procedure
                          Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.

                          The available devices appear in the Summary pane.

                          Step 2   From the Summary pane, double-click the device to display the server groups.
                          Step 3   Click Default TACACS Server Group.
                          Step 4   From the Details pane, click the Global Settings tab.
                          Step 5   From the Source Interface drop-down list, choose an Ethernet interface, a loopback interface, a port-channel interface, a tunnel interface, a VLAN interface, or the management interface (mgmt 0).
                          Step 6   Click OK.
                          Step 7   From the menu bar, choose File > Deploy to apply your changes to the device.

                          Configuring a Source Interface for a Specific TACACS+ Server Group

                          You can configure a source interface for a specific TACACS+ server group to use when accessing TACACS+ servers. This configuration forces the TACACS+ servers to use the IP address of the source interface for all outgoing TACACS+ packets.


                          Note


                          This configuration overrides the global source interface for this server group.


                          Before You Begin

                          Make sure that you are in the correct VDC.

                          Enable TACACS+.

                          Procedure
                            Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.

                            The available devices appear in the Summary pane.

                            Step 2   From the Summary pane, double-click the device to display the server groups.
                            Step 3   Click the desired TACACS+ server group.
                            Step 4   From the Details pane, click the Details tab.
                            Step 5   From the Source Interface drop-down list, choose an Ethernet interface, a loopback interface, a port-channel interface, a tunnel interface, a VLAN interface, or the management interface (mgmt 0).
                            Step 6   Click OK.
                            Step 7   From the menu bar, choose File > Deploy to apply your changes to the device.

                            Allowing Users to Specify a TACACS+ Server at Login

                            You can configure the switch to allow the user to specify which TACACS+ server to send the authentication request by enabling the directed-request option. By default, a device forwards an authentication request based on the default AAA authentication method. If you enable this option, the user can log in as username@vrfname:hostname, where vrfname is the VRF to use and hostname is the name of a configured TACACS+ server.


                            Note


                            If you enable the directed-request option, the device uses only the TACACS+ method for authentication and not the default local method.



                            Note


                            User-specified logins are supported only for Telnet sessions.


                            Procedure
                              Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
                              Step 2   From the Summary pane, double-click the device to display the server groups.
                              Step 3   Click Default TACACS Server Group.
                              Step 4   From the Details pane, click the Global Settings tab.
                              Step 5   Check Direct Req.
                              Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

                              Related Tasks

                              Configuring the Global TACACS+ Timeout Interval

                              You can set a global timeout interval that the device waits for responses from all TACACS+ servers before declaring a timeout failure. The timeout interval determines how long the device waits for responses from TACACS+ servers before declaring a timeout failure.

                              Procedure
                                Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
                                Step 2   From the Summary pane, double-click the device to display the server groups.
                                Step 3   Click Default TACACS Server Group.
                                Step 4   From the Details pane, click the Global Settings tab.
                                Step 5   In the Time out(secs) field, enter the number of seconds for the timeout interval. The default is 5 seconds.
                                Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

                                Configuring the Timeout Interval for a TACACS+ Server

                                You can set a timeout interval that the device waits for responses from a TACACS+ server before declaring a timeout failure. The timeout interval determines how long the device waits for responses from a TACACS+ server before declaring a timeout failure.

                                Before You Begin

                                Configure one or more TACACS+ server hosts.

                                Procedure
                                  Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
                                  Step 2   From the Summary pane, double-click the device to display the server groups.
                                  Step 3   Double-click Default TACACS Server Group to display the list of TACACS+ servers.
                                  Step 4   Click the desired TACACS+ server.
                                  Step 5   From the Details pane, click the Server Details tab.
                                  Step 6   Check Override Defaults.
                                  Step 7   In the Timeout(secs) field, enter the number of seconds for the timeout interval. The default is 5 seconds.
                                  Step 8   From the menu bar, choose File > Deploy to apply your changes to the device.

                                  Configuring TCP Ports

                                  You can configure another TCP port for the TACACS+ servers if there are conflicts with another application. By default, devices use port 49 for all TACACS+ requests.

                                  Before You Begin

                                  Configure one or more TACACS+ server hosts.

                                  Procedure
                                    Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
                                    Step 2   From the Summary pane, double-click the device to display the server groups.
                                    Step 3   Double-click Default TACACS Server Group to display the list of TACACS+ servers.
                                    Step 4   Click the desired TACACS+ server.
                                    Step 5   From the Details pane, click the Server Details tab.
                                    Step 6   In the Authentication Port field, enter a new TCP port number or clear it to disable authentication. The default authentication TCP port is 49.
                                    Step 7   From the menu bar, choose File > Deploy to apply your changes to the device.

                                    Related Tasks

                                    Configuring Periodic TACACS+ Server Monitoring

                                    You can monitor the availability of TACACS+ servers. These parameters include the username and password to use for the server and an idle timer. The idle timer specifies the interval in which a TACACS+ server receives no requests before the device sends out a test packet. You can configure this option to test servers periodically, or you can run a one-time only test.


                                    Note


                                    To protect network security, we recommend that you use a username that is not the same as an existing username in the TACACS+ database.


                                    The test idle timer specifies the interval in which a TACACS+ server receives no requests before the device sends out a test packet.


                                    Note


                                    The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, periodic TACACS+ server monitoring does not occur.


                                    Before You Begin

                                    Configure one or more TACACS+ server hosts.

                                    Procedure
                                      Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
                                      Step 2   From the Summary pane, double-click the device to display the server groups.
                                      Step 3   Double-click Default TACACS Server Group to display the list of TACACS+ servers.
                                      Step 4   Click the desired TACACS+ server.
                                      Step 5   From the Details pane, click the Server Details tab.
                                      Step 6   In the User Name field, enter a username.
                                      Step 7   In the Password field, enter a password.
                                      Step 8   In the Idle Time field, enter the number of minutes for periodic monitoring.
                                      Step 9   From the menu bar, choose File > Deploy to apply your changes to the device.

                                      Related Tasks

                                      Configuring the TACACS+ Dead-Time Interval

                                      You can configure the dead-time interval for all TACACS+ servers. The dead-time interval specifies the time that the device waits, after declaring a TACACS+ server is dead, before sending out a test packet to determine if the server is now alive.


                                      Note


                                      When the dead-timer interval is 0 minutes, TACACS+ servers are not marked as dead even if they are not responding. You can configure the dead-timer per group.


                                      Procedure
                                        Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
                                        Step 2   From the Summary pane, double-click the device to display the server groups.
                                        Step 3   Click Default TACACS Server Group.
                                        Step 4   From the Details pane, click the Global Settings tab.
                                        Step 5   In the Dead time(mins) field, enter the number of minutes. The default is 0 minutes.
                                        Step 6   From the menu bar, choose File > Deploy to apply your changes to the device.

                                        Related Tasks

                                        Disabling TACACS+

                                        You can disable TACACS+.


                                        Caution


                                        When you disable TACACS+, all related configurations are automatically discarded.


                                        Procedure
                                          Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
                                          Step 2   From the Summary pane, click the device.
                                          Step 3   From the menu bar, choose Actions > Disable TACACS.
                                          Step 4   From the menu bar, choose File > Deploy to apply your changes to the device.

                                          Related Tasks

                                          Displaying TACACS+ Statistics

                                          You can display the statistics that the device maintains for TACACS+ activity.

                                          Before You Begin

                                          Configure one or more TACACS+ server hosts.

                                          Procedure
                                            Step 1   From the Feature Selector pane, choose Security > AAA > Server Groups.
                                            Step 2   From the Summary pane, double-click the device to display the server groups.
                                            Step 3   Double-click Default TACACS Server Group to display the list of TACACS+ servers.
                                            Step 4   Click the desired TACACS+ server.
                                            Step 5   From the Details pane, click the Statistics tab.

                                            Where to Go Next

                                            You can now configure AAA authentication methods to include the server groups.

                                            Field Descriptions for TACACS+ Server Groups and Servers

                                            This section describes the fields for TACACS+ in Cisco DCNM.

                                            Security: AAA: Server Groups: Summary Pane

                                            Table 1 Security: AAA: Server Groups: Summary Pane

                                            Fields

                                            Description

                                            Authentication Port

                                            UDP port number for authentication traffic for the servers. The default is 49.

                                            Accounting Port

                                            UDP port used for accounting for the servers.

                                            Timeout

                                            Number of seconds for the timeout interval for the servers. The default is 5 seconds.

                                            Status

                                            Status of the servers.

                                            Security: AAA: Server Groups: device: Default TACACS Server Group: Global Settings Tab

                                            Table 2  Security: AAA: Server Groups: device: Default TACACS Server Group: Global Settings Tab

                                            Field

                                            Description

                                            Server Group Type

                                            TACACS+ for the server group type.

                                            Time out(secs)

                                            Number of seconds for the timeout interval. The default is 5 seconds.

                                            Key

                                            Secret global key.

                                            Source Interface

                                            Source interface for a specific TACACS+ server group to use when accessing TACACS+ servers. The options are an Ethernet interface, a loopback interface, or the management interface (mgmt 0).

                                            Dead time(mins)

                                            Number of minutes for the dead time interface. The default is 0 minutes.

                                            Direct Req

                                            Users can specify a TACACS+ server at login.

                                            Security: AAA: Server Groups: device: Default TACACS Server Group: server: Server Details Tab

                                            Table 3  Security: AAA: Server Groups: device: Default TACACS Server Group: server: Server Details Tab

                                            Fields

                                            Description

                                            General

                                            Server Type

                                            TACACS+ for the server type.

                                            Server

                                            Server IPv4 address, IPv6 address, or alphanumeric name and the server name type.

                                            Authentication Port

                                            TCP port number for authentication traffic. The default is 49.

                                            Accounting Port

                                            TCP port used for accounting.

                                            Test

                                            User Name

                                            Username for periodic monitoring of the TACACS+ server.

                                            Password

                                            Password for periodic monitoring of the TACACS+ server.

                                            Idle Time

                                            Number of minutes for the idle time interval for periodic monitoring of the TACACS+ server. The default is 0, which disables periodic monitoring.

                                            Override Default

                                            Global values that you can override and configure for the TACACS+ server. The default is to use the global values.

                                            Key

                                            Secret server key for the TACACS+ server.

                                            Encrypt

                                            Secret server key encryption status. The default is clear text.

                                            Timeout(secs)

                                            Number of seconds for the timeout interval. The default is 5 seconds.

                                            Security: AAA: Server Groups: device: server group: Details Tab

                                            Table 4  Security: AAA: Server Groups: device: server group : Details Tab

                                            Fields

                                            Description

                                            Type

                                            Displays RADIUS for the server group type.

                                            Server Group Name

                                            Displays the server group name.

                                            Dead time(mins)

                                            Number of minutes for the dead-time interval for the server group. The default is 0 minutes.

                                            VRF Name

                                            VRF name.

                                            Source Interface

                                            Source interface for a specific RADIUS server group to use when accessing RADIUS servers. The options are an Ethernet interface, a loopback interface, or the management interface (mgmt 0).

                                            Additional References for TACACS+

                                            This section includes additional information related to implementing TACACS+.

                                            Related Documents

                                            Related Topic

                                            Document Title

                                            Cisco NX-OS licensing

                                            Cisco NX-OS Licensing Guide

                                            Cisco DCNM licensing

                                            Cisco DCNM Installation and Licensing Guide, Release 5.x

                                            VRF configuration

                                            Unicast Configuration Guide, Cisco DCNM for LAN, Release 5.xCisco DCNM Unicast Routing Configuration Guide, Release 5.x

                                            Standards

                                            Standards

                                            Title

                                            No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

                                            MIBs

                                            MIBs

                                            MIBs Link

                                            • CISCO-AAA-SERVER-MIB
                                            • CISCO-AAA-SERVER-EXT-MIB

                                            To locate and download MIBs, go to the following URL:

                                            http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

                                            Feature History for TACACS+

                                            This table lists the release history for this feature.

                                            Table 5  Feature History for TACACS+

                                            Feature Name

                                            Releases

                                            Feature Information

                                            TACACS+

                                            5.2(1)

                                            Added support for the Cisco Nexus 3000 Series Switches.

                                            TACACS+

                                            5.1(1)

                                            No change from Release 5.0.

                                            TACACS+ server groups

                                            5.0(2)

                                            Added support for configuring the global source interface for all TACACS+ server groups.

                                            TACACS+ server groups

                                            5.0(2)

                                            Added support for configuring a source interface for a specific TACACS+ server group.

                                            TACACS+

                                            4.2(1)

                                            No change from Release 4.1.