Contents

Configuring TACACS+

This chapter contains the following sections:

About Configuring TACACS+

Information About TACACS+

The Terminal Access Controller Access Control System Plus (TACACS+) security protocol provides centralized validation of users attempting to gain access to a Cisco Nexus 5000 Series switch. TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your Cisco Nexus 5000 Series switch are available.

TACACS+ provides for separate authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service (authentication, authorization, and accounting) independently. Each service is associated with its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.

The TACACS+ client/server protocol uses TCP (TCP port 49) for transport requirements. Cisco Nexus 5000 Series switches provide centralized authentication using the TACACS+ protocol.

TACACS+ Advantages

TACACS+ has the following advantages over RADIUS authentication:

  • Provides independent AAA facilities. For example, the Cisco Nexus 5000 Series switch can authorize access without authenticating.

  • Uses the TCP transport protocol to send data between the AAA client and server, making reliable transfers with a connection-oriented protocol.

  • Encrypts the entire protocol payload between the switch and the AAA server to ensure higher data confidentiality. The RADIUS protocol only encrypts passwords.

User Login with TACACS+

When a user attempts a Password Authentication Protocol (PAP) login to a Cisco Nexus 5000 Series switch using TACACS+, the following actions occur:

  1. When the Cisco Nexus 5000 Series switch establishes a connection, it contacts the TACACS+ daemon to obtain the username and password.


    Note


    TACACS+ allows an arbitrary conversation between the daemon and the user until the daemon receives enough information to authenticate the user. This action is usually done by prompting for a username and password combination, but may include prompts for other items, such as the user’s mother’s maiden name.


  2. The Cisco Nexus 5000 Series switch will receive one of the following responses from the TACACS+ daemon:

    • ACCEPT—User authentication succeeds and service begins. If the Cisco Nexus 5000 Series switch requires user authorization, authorization begins.

    • REJECT—User authentication failed. The TACACS+ daemon either denies further access to the user or prompts the user to retry the login sequence.

    • ERROR—An error occurred at some time during authentication dither at the daemon or in the network connection between the daemon and the Cisco Nexus 5000 Series switch. If the Cisco Nexus 5000 Series switch receives an ERROR response, the switch tries to use an alternative method for authenticating the user.

    The user also undergoes an additional authorization phase, if authorization has been enabled on the Cisco Nexus 5000 Series switch. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization.

  3. If TACACS+ authorization is required, the Cisco Nexus 5000 Series switch again contacts the TACACS+ daemon and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes that are used to direct the EXEC or NETWORK session for that user and determines the services that the user can access.

Services include the following:

    • Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services

    • Connection parameters, including the host or client IP address (IPv4 or IPv6), access list, and user timeouts

Default TACACS+ Server Encryption Type and Preshared Key

You must configure the TACACS+ preshared key to authenticate the switch to the TACACS+ server. A preshared key is a secret text string shared between the Cisco Nexus 5000 Series switch and the TACACS+ server host. The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global preshared secret key for all TACACS+ server configurations on the Cisco Nexus 5000 Series switch to use.

You can override the global preshared key assignment by explicitly using the key option when configuring an individual TACACS+ server.

TACACS+ Server Monitoring

An unresponsive TACACS+ server can delay the processing of AAA requests. A Cisco Nexus 5000 Series switch can periodically monitor an TACACS+ server to check whether it is responding (or alive) to save time in processing AAA requests. The Cisco Nexus 5000 Series switch marks unresponsive TACACS+ servers as dead and does not send AAA requests to any dead TACACS+ servers. A Cisco Nexus 5000 Series switch periodically monitors dead TACACS+ servers and brings them to the alive state once they are responding. This process verifies that a TACACS+ server is in a working state before real AAA requests are sent its way. Whenever an TACACS+ server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco Nexus 5000 Series switch displays an error message that a failure is taking place before it can impact performance.

Figure 1. TACACS+ Server States


Note


The monitoring interval for alive servers and dead servers are different and can be configured by the user. The TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+ server.


Prerequisites for TACACS+

TACACS+ has the following prerequisites:

  • Obtain the IPv4 or IPv6 addresses or host names for the TACACS+ servers.

  • Obtain the preshared keys from the TACACS+ servers, if any.

  • Ensure that the Cisco Nexus 5000 Series switch is configured as a TACACS+ client of the AAA servers.

Guidelines and Limitations for TACACS+

TACACS+ has the following guidelines and limitations:

  • You can configure a maximum of 64 TACACS+ servers on the Cisco Nexus 5000 Series switch.

Configuring TACACS+

TACACS+ Server Configuration Process

To configure TACACS+ servers, perform this task:

SUMMARY STEPS

    1.    Enable TACACS+.

    2.    Establish the TACACS+ server connections to the Cisco Nexus 5000 Series switch.

    3.    Configure the preshared secret keys for the TACACS+ servers.

    4.    If needed, configure TACACS+ server groups with subsets of the TACACS+ servers for AAA authentication methods.

    5.    If needed, configure any of the following optional parameters:

    6.    If needed, configure periodic TACACS+ server monitoring.


DETAILED STEPS
    Step 1   Enable TACACS+.
    Step 2   Establish the TACACS+ server connections to the Cisco Nexus 5000 Series switch.
    Step 3   Configure the preshared secret keys for the TACACS+ servers.
    Step 4   If needed, configure TACACS+ server groups with subsets of the TACACS+ servers for AAA authentication methods.
    Step 5   If needed, configure any of the following optional parameters:
    • Dead-time interval
    • Allow TACACS+ server specification at login
    • Timeout interval
    • TCP port
    Step 6   If needed, configure periodic TACACS+ server monitoring.

    Enabling TACACS+

    By default, the TACACS+ feature is disabled on the Cisco Nexus 5000 Series switch. To explicitly enable the TACACS+ feature to access the configuration and verification commands for authentication, perform this task:

    SUMMARY STEPS

      1.    switch# configure terminal

      2.    switch(config)# feature tacacs+

      3.    switch(config)# exit

      4.    (Optional) switch# copy running-config startup-config


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 switch# configure terminal
       

      Enters configuration mode.

       
      Step 2 switch(config)# feature tacacs+
       

      Enables TACACS+.

       
      Step 3 switch(config)# exit
       

      Exits configuration mode.

       
      Step 4 switch# copy running-config startup-config
       
      (Optional)

      Copies the running configuration to the startup configuration.

       

      Configuring TACACS+ Server Hosts

      To access a remote TACACS+ server, you must configure the IPv4 or IPv6 address or the hostname for the TACACS+ server on the Cisco Nexus 5000 Series switch. All TACACS+ server hosts are added to the default TACACS+ server group.You can configure up to 64 TACACS+ servers.

      If a preshared key is not configured for a configured TACACS+ server, a warning message is issued if a global key is not configured. If a TACACS+ server key is not configured, the global key (if configured) is used for that server.

      Before you configure TACACS+ server hosts, you should do the following:

      • Enable TACACS+.

      • Obtain the IPv4 or IPv6 addresses or the hostnames for the remote TACACS+ servers.

      To configure TACACS+ server hosts, perform this task:

      SUMMARY STEPS

        1.    switch# configure terminal

        2.    switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name}

        3.    switch(config)# exit

        4.    (Optional) switch# show tacacs-server

        5.    (Optional) switch# copy running-config startup-config


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 switch# configure terminal
         

        Enters configuration mode.

         
        Step 2 switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name}
         

        Specifies the IPv4 or IPv6 address or hostname for a TACACS+ server.

         
        Step 3 switch(config)# exit
         

        Exits configuration mode.

         
        Step 4 switch# show tacacs-server
         
        (Optional)

        Displays the TACACS+ server configuration.

         
        Step 5 switch# copy running-config startup-config
         
        (Optional)

        Copies the running configuration to the startup configuration.

         

        You can delete a TACACS+ server host from a server group.

        Configuring TACACS+ Global Preshared Keys

        You can configure preshared keys at the global level for all servers used by the Cisco Nexus 5000 Series switch. A preshared key is a shared secret text string between the Cisco Nexus 5000 Series switch and the TACACS+ server hosts.

        Before you configure preshared keys, you should do the following:

        • Enable TACACS+.
        • Obtain the preshared key values for the remote TACACS+ servers.

        To configure global preshared keys, perform this task:

        SUMMARY STEPS

          1.    switch# configure terminal

          2.    switch(config)# tacacs-server key [0 | 7] key-value

          3.    switch(config)# exit

          4.    (Optional) switch# show tacacs-server

          5.    (Optional) switch# copy running-config startup-config


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 switch# configure terminal
           

          Enters configuration mode.

           
          Step 2 switch(config)# tacacs-server key [0 | 7] key-value
           

          Specifies a preshared key for all TACACS+ servers. You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key. The default format is clear text. The maximum length is 63 characters.

          By default, no preshared key is configured.

           
          Step 3 switch(config)# exit
           

          Exits configuration mode.

           
          Step 4 switch# show tacacs-server
           
          (Optional)

          Displays the TACACS+ server configuration.

          Note   

          The preshared keys are saved in encrypted form in the running configuration. Use the show running-config command to display the encrypted preshared keys.

           
          Step 5 switch# copy running-config startup-config
           
          (Optional)

          Copies the running configuration to the startup configuration.

           

          The following example shows how to configure global preshared keys:

          switch# configure terminal
          switch(config)# tacacs-server key 0 QsEfThUkO
          switch(config)# exit
          switch# show tacacs-server
          switch# copy running-config startup-config
          Related Information
          Enabling TACACS+

          Configuring TACACS+ Server Preshared Keys

          You can configure preshared keys for a TACACS+ server. A preshared key is a shared secret text string between the Cisco Nexus 5000 Series switch and the TACACS+ server host.

          To configure the TACACS+ preshared keys, perform this task:

          SUMMARY STEPS

            1.    switch# configure terminal

            2.    switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} key [0 | 7] key-value

            3.    switch(config)# exit

            4.    (Optional) switch# show tacacs-server

            5.    (Optional) switch# copy running-config startup-config


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 switch# configure terminal
             

            Enters configuration mode.

             
            Step 2 switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} key [0 | 7] key-value
             

            Specifies a preshared key for a specific TACACS+ server. You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key. The default format is clear text. The maximum length is 63 characters.

            This preshared key is used instead of the global preshared key.

             
            Step 3 switch(config)# exit
             

            Exits configuration mode.

             
            Step 4 switch# show tacacs-server
             
            (Optional)

            Displays the TACACS+ server configuration.

            Note   

            The preshared keys are saved in encrypted form in the running configuration. Use the show running-config command to display the encrypted preshared keys.

             
            Step 5 switch# copy running-config startup-config
             
            (Optional)

            Copies the running configuration to the startup configuration.

             

            The following example shows how to configure the TACACS+ preshared keys:

            switch# configure terminal
            
            switch(config)# tacacs-server host 10.10.1.1 key 0 PlIjUhYg
            
            switch(config)# exit
            
            switch# show tacacs-server
            
            switch# copy running-config startup-config
            

            Configuring TACACS+ Server Groups

            You can specify one or more remote AAA servers to authenticate users using server groups. All members of a group must belong to the TACACS+ protocol. The servers are tried in the same order in which you configure them.

            You can configure these server groups at any time but they only take effect when you apply them to an AAA service.

            To configure TACACS+ server groups, perform this task:

            SUMMARY STEPS

              1.    switch# configure terminal

              2.    switch(config)# aaa group server tacacs+ group-name

              3.    switch(config-tacacs+)# server {ipv4-address | ipv6-address | host-name}

              4.    (Optional) switch(config-tacacs+)# deadtime minutes

              5.    switch(config-tacacs+)# exit

              6.    (Optional) switch(config)# show tacacs-server groups

              7.    (Optional) switch(config)# copy running-config startup-config


            DETAILED STEPS
               Command or ActionPurpose
              Step 1 switch# configure terminal
               

              Enters configuration mode.

               
              Step 2 switch(config)# aaa group server tacacs+ group-name
               

              Creates a TACACS+ server group and enters the TACACS+ server group configuration mode for that group.

               
              Step 3 switch(config-tacacs+)# server {ipv4-address | ipv6-address | host-name}
               

              Configures the TACACS+ server as a member of the TACACS+ server group.

              If the specified TACACS+ server is not found, configure it using the tacacs-server host command and retry this command.

               
              Step 4 switch(config-tacacs+)# deadtime minutes
               
              (Optional)

              Configures the monitoring dead time. The default is 0 minutes. The range is from 0 through 1440.

              Note   

              If the dead-time interval for a TACACS+ server group is greater than zero (0), that value takes precedence over the global dead-time value.

               
              Step 5 switch(config-tacacs+)# exit
               

              Exits configuration mode.

               
              Step 6 switch(config)# show tacacs-server groups
               
              (Optional)

              Displays the TACACS+ server group configuration.

               
              Step 7 switch(config)# copy running-config startup-config
               
              (Optional)

              Copies the running configuration to the startup configuration.

               

              The following example shows how to configure a TACACS+ server group:

              switch# configure terminal
              
              switch(config)# aaa group server tacacs+ TacServer
              
              switch(config-tacacs+)# server 10.10.2.2
              
              switch(config-tacacs+)# deadtime 30
              
              switch(config-tacacs+)# exit
              
              switch(config)# show tacacs-server groups
              
              switch(config)# copy running-config startup-config
              

              Specifying a TACACS+ Server at Login

              You can configure the switch to allow the user to specify which TACACS+ server to send the authenticate request by enabling the directed-request option. By default, a Cisco Nexus 5000 Series switch forwards an authentication request based on the default AAA authentication method. If you enable this option, the user can log in as username@hostname , where hostname is the name of a configured RADIUS server.


              Note


              User specified logins are only supported for Telnet sessions.


              To specify a TACACS+ server at login, perform this task:

              SUMMARY STEPS

                1.    switch# configure terminal

                2.    switch(config)# tacacs-server directed-request

                3.    switch(config)# exit

                4.    (Optional) switch# show tacacs-server directed-request

                5.    (Optional) switch# copy running-config startup-config


              DETAILED STEPS
                 Command or ActionPurpose
                Step 1 switch# configure terminal
                 

                Enters configuration mode.

                 
                Step 2 switch(config)# tacacs-server directed-request
                 

                Allows users to specify a TACACS+ server to send the authentication request when logging in. The default is disabled.

                 
                Step 3 switch(config)# exit
                 

                Exits configuration mode.

                 
                Step 4 switch# show tacacs-server directed-request
                 
                (Optional)

                Displays the TACACS+ directed request configuration.

                 
                Step 5 switch# copy running-config startup-config
                 
                (Optional)

                Copies the running configuration to the startup configuration.

                 

                Configuring the Global TACACS+ Timeout Interval

                You can set a global timeout interval that the Cisco Nexus 5000 Series switch waits for responses from all TACACS+ servers before declaring a timeout failure. The timeout interval determines how long the switch waits for responses from TACACS+ servers before declaring a timeout failure.

                To specify a TACACS+ global timeout interval, perform this task:

                SUMMARY STEPS

                  1.    switch# configure terminal

                  2.    switch(config)# tacacs-server timeout seconds

                  3.    switch(config)# exit

                  4.    (Optional) switch# show tacacs-server

                  5.    (Optional) switch# copy running-config startup-config


                DETAILED STEPS
                   Command or ActionPurpose
                  Step 1 switch# configure terminal
                   

                  Enters configuration mode.

                   
                  Step 2 switch(config)# tacacs-server timeout seconds
                   

                  Specifies the timeout interval for TACACS+ servers. The default timeout interval is 5 second and the range is from 1 to 60 seconds.

                   
                  Step 3 switch(config)# exit
                   

                  Exits configuration mode.

                   
                  Step 4 switch# show tacacs-server
                   
                  (Optional)

                  Displays the TACACS+ server configuration.

                   
                  Step 5 switch# copy running-config startup-config
                   
                  (Optional)

                  Copies the running configuration to the startup configuration.

                   

                  Configuring the Timeout Interval for a Server

                  You can set a timeout interval that the Cisco Nexus 5000 Series switch waits for responses from a TACACS+ server before declaring a timeout failure. The timeout interval determines how long the switch waits for responses from a TACACS+ server before declaring a timeout failure.

                  To configure the timeout interval for a server, perform this task:

                  SUMMARY STEPS

                    1.    switch# configure terminal

                    2.    switch(config)# switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} timeout seconds

                    3.    switch(config)# exit

                    4.    (Optional) switch# show tacacs-server

                    5.    (Optional) switch# copy running-config startup-config


                  DETAILED STEPS
                     Command or ActionPurpose
                    Step 1 switch# configure terminal
                     

                    Enters configuration mode.

                     
                    Step 2 switch(config)# switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} timeout seconds
                     

                    Specifies the timeout interval for a specific server. The default is the global value.

                    Note   

                    The timeout interval value specified for a TACACS+ server overrides the global timeout interval value specified for all TACACS+ servers.

                     
                    Step 3 switch(config)# exit
                     

                    Exits configuration mode.

                     
                    Step 4 switch# show tacacs-server
                     
                    (Optional)

                    Displays the TACACS+ server configuration.

                     
                    Step 5 switch# copy running-config startup-config
                     
                    (Optional)

                    Copies the running configuration to the startup configuration.

                     

                    Configuring TCP Ports

                    You can configure another TCP port for the TACACS+ servers if there are conflicts with another application. By default, Cisco Nexus 5000 Series switches use port 49 for all TACACS+ requests.

                    To configure TCP ports, perform this task:

                    SUMMARY STEPS

                      1.    switch# configure terminal

                      2.    switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} port tcp-port

                      3.    switch(config)# exit

                      4.    (Optional) switch# show tacacs-server

                      5.    (Optional) switch# copy running-config startup-config


                    DETAILED STEPS
                       Command or ActionPurpose
                      Step 1 switch# configure terminal
                       

                      Enters configuration mode.

                       
                      Step 2 switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} port tcp-port
                       

                      Specifies the UDP port to use for TACACS+ accounting messages.The default TCP port is 49. The range is from 1 to 65535.

                       
                      Step 3 switch(config)# exit
                       

                      Exits configuration mode.

                       
                      Step 4 switch# show tacacs-server
                       
                      (Optional)

                      Displays the TACACS+ server configuration.

                       
                      Step 5 switch# copy running-config startup-config
                       
                      (Optional)

                      Copies the running configuration to the startup configuration.

                       

                      The following example shows how to configure TCP ports:

                      switch# configure terminal
                      
                      switch(config)# tacacs-server host 10.10.1.1 port 2
                      
                      switch(config)# exit
                      
                      switch# show tacacs-server
                      
                      switch# copy running-config startup-config
                      

                      Configuring Periodic TACACS+ Server Monitoring

                      You can monitor the availability of TACACS+ servers. These parameters include the username and password to use for the server and an idle timer. The idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco Nexus 5000 Series switch sends out a test packet.You can configure this option to test servers periodically, or you can run a one-time only test.


                      Note


                      To protect network security, we recommend that you use a user name that is not the same as an existing username in the TACACS+ database.


                      The test idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco Nexus 5000 Series switch sends out a test packet.


                      Note


                      The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.


                      To configure periodic TACACS+ server monitoring, perform this task:

                      SUMMARY STEPS

                        1.    switch# configure terminal

                        2.    switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} test {idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]}

                        3.    switch(config)# tacacs-server dead-time minutes

                        4.    switch(config)# exit

                        5.    (Optional) switch# show tacacs-server

                        6.    (Optional) switch# copy running-config startup-config


                      DETAILED STEPS
                         Command or ActionPurpose
                        Step 1 switch# configure terminal
                         

                        Enters configuration mode.

                         
                        Step 2 switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} test {idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]}
                         

                        Specifies parameters for server monitoring. The default username is test and the default password is test. The default value for the idle timer is 0 minutes and the valid range is 0 to 1440 minutes.

                        Note   

                        For periodic TACACS+ server monitoring, the idle timer value must be greater than 0.

                         
                        Step 3 switch(config)# tacacs-server dead-time minutes
                         

                        Specifies the number minutes before the Cisco Nexus 5000 Series switch checks a TACACS+ server that was previously unresponsive. The default value is 0 minutes and the valid range is 0 to 1440 minutes.

                         
                        Step 4 switch(config)# exit
                         

                        Exits configuration mode.

                         
                        Step 5 switch# show tacacs-server
                         
                        (Optional)

                        Displays the TACACS+ server configuration.

                         
                        Step 6 switch# copy running-config startup-config
                         
                        (Optional)

                        Copies the running configuration to the startup configuration.

                         

                        The following example shows how to configure periodic TACACS+ server monitoring:

                        switch# configure terminal
                        
                        switch(config)# tacacs-server host 10.10.1.1 test username user1 password Ur2Gd2BH idle-time 3
                        
                        switch(config)# tacacs-server dead-time 5
                        
                        switch(config)# exit
                        
                        switch# show tacacs-server
                        
                        switch# copy running-config startup-config
                        

                        Configuring the Dead-Time Interval

                        You can configure the dead-time interval for all TACACS+ servers. The dead-time interval specifies the time that the Cisco Nexus 5000 Series switch waits, after declaring a TACACS+ server is dead, before sending out a test packet to determine if the server is now alive.


                        Note


                        When the dead-timer interval is 0 minutes, TACACS+ servers are not marked as dead even if they are not responding. You can configure the dead-timer per group.


                        To configure the dead-time interval for all TACACS+ servers, perform this task:

                        SUMMARY STEPS

                          1.    switch# configure terminal

                          2.    switch(config)# tacacs-server deadtime minutes

                          3.    switch(config)# exit

                          4.    (Optional) switch# show tacacs-server

                          5.    (Optional) switch# copy running-config startup-config


                        DETAILED STEPS
                           Command or ActionPurpose
                          Step 1 switch# configure terminal
                           

                          Enters configuration mode.

                           
                          Step 2 switch(config)# tacacs-server deadtime minutes
                           

                          Configures the global dead-time interval. The default value is 0 minutes. The range is from 1 to 1440 minutes.

                           
                          Step 3 switch(config)# exit
                           

                          Exits configuration mode.

                           
                          Step 4 switch# show tacacs-server
                           
                          (Optional)

                          Displays the TACACS+ server configuration.

                           
                          Step 5 switch# copy running-config startup-config
                           
                          (Optional)

                          Copies the running configuration to the startup configuration.

                           

                          Manually Monitoring TACACS+ Servers or Groups

                          To manually issue a test message to a TACACS+ server or to a server group, perform this task:

                          SUMMARY STEPS

                            1.    switch# test aaa server tacacs+ {ipv4-address | ipv6-address | host-name} [vrf vrf-name] username password

                            2.    switch# test aaa group group-name username password


                          DETAILED STEPS
                             Command or ActionPurpose
                            Step 1 switch# test aaa server tacacs+ {ipv4-address | ipv6-address | host-name} [vrf vrf-name] username password
                             

                            Sends a test message to a TACACS+ server to confirm availability.

                             
                            Step 2 switch# test aaa group group-name username password
                             

                            Sends a test message to a TACACS+ server group to confirm availability.

                             

                            The following example shows how to manually issue a test message:

                            switch# test aaa server tacacs+ 10.10.1.1 user1 Ur2Gd2BH
                            
                            switch# test aaa group TacGroup user2 As3He3CI
                            

                            Disabling TACACS+

                            You can disable TACACS+.


                            Caution


                            When you disable TACACS+, all related configurations are automatically discarded.


                            To disable TACACS+, perform this task:

                            SUMMARY STEPS

                              1.    switch# configure terminal

                              2.    switch(config)# no feature tacacs+

                              3.    switch(config)# exit

                              4.    (Optional) switch# copy running-config startup-config


                            DETAILED STEPS
                               Command or ActionPurpose
                              Step 1 switch# configure terminal
                               

                              Enters configuration mode.

                               
                              Step 2 switch(config)# no feature tacacs+
                               

                              Disables TACACS+.

                               
                              Step 3 switch(config)# exit
                               

                              Exits configuration mode.

                               
                              Step 4 switch# copy running-config startup-config
                               
                              (Optional)

                              Copies the running configuration to the startup configuration.

                               

                              Displaying TACACS+ Statistics

                              To display the statistics the Cisco Nexus 5000 Series switch maintains for TACACS+ activity, perform this task:

                              SUMMARY STEPS

                                1.    switch# show tacacs-server statistics {hostname | ipv4-address | ipv6-address}


                              DETAILED STEPS
                                 Command or ActionPurpose
                                Step 1 switch# show tacacs-server statistics {hostname | ipv4-address | ipv6-address}
                                 

                                Displays the TACACS+ statistics.

                                 

                                For detailed information about the fields in the output from this command, see the Cisco Nexus 5000 Series Command Reference.

                                Verifying TACACS+ Configuration

                                To display TACACS+ configuration information, perform one of the following tasks:

                                SUMMARY STEPS

                                  1.    switch# show tacacs+ {status | pending | pending-diff}

                                  2.    switch# show running-config tacacs [all]

                                  3.    switch# show startup-config tacacs

                                  4.    switch# show tacacs-serve [host-name | ipv4-address | ipv6-address] [directed-request | groups | sorted | statistics]


                                DETAILED STEPS
                                   Command or ActionPurpose
                                  Step 1 switch# show tacacs+ {status | pending | pending-diff}
                                   
                                  Displays the TACACS+ Cisco Fabric Services distribution status and other details. 
                                  Step 2 switch# show running-config tacacs [all]
                                   

                                  Displays the TACACS+ configuration in the running configuration.

                                   
                                  Step 3 switch# show startup-config tacacs
                                   

                                  Displays the TACACS+ configuration in the startup configuration.

                                   
                                  Step 4 switch# show tacacs-serve [host-name | ipv4-address | ipv6-address] [directed-request | groups | sorted | statistics]
                                   

                                  Displays all configured TACACS+ server parameters.

                                   

                                  Example TACACS+ Configuration

                                  The following example shows how to configure TACACS+:

                                  switch# configure terminal
                                  
                                  switch(config)# feature tacacs+
                                  
                                  switch(config)# tacacs-server key 7 "ToIkLhPpG"
                                  
                                  switch(config)# tacacs-server host 10.10.2.2 key 7 "ShMoMhTl"
                                  
                                  switch(config)# aaa group server tacacs+ TacServer
                                  
                                  switch(config-tacacs+)# server 10.10.2.2
                                  
                                  switch(config-tacacs+)# use-vrf management
                                  

                                  Default TACACS+ Settings

                                  The following table lists the default settings for TACACS+ parameters.

                                  Table 1  Default TACACS+ Parameters

                                  Parameters

                                  Default

                                  TACACS+

                                  Disabled

                                  Dead timer interval

                                  0 minutes

                                  Timeout interval

                                  5 seconds

                                  Idle timer interval

                                  0 minutes

                                  Periodic server monitoring username

                                  test

                                  Periodic server monitoring password

                                  test


                                  Configuring TACACS+

                                  Contents

                                  Configuring TACACS+

                                  This chapter contains the following sections:

                                  About Configuring TACACS+

                                  Information About TACACS+

                                  The Terminal Access Controller Access Control System Plus (TACACS+) security protocol provides centralized validation of users attempting to gain access to a Cisco Nexus 5000 Series switch. TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your Cisco Nexus 5000 Series switch are available.

                                  TACACS+ provides for separate authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service (authentication, authorization, and accounting) independently. Each service is associated with its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.

                                  The TACACS+ client/server protocol uses TCP (TCP port 49) for transport requirements. Cisco Nexus 5000 Series switches provide centralized authentication using the TACACS+ protocol.

                                  TACACS+ Advantages

                                  TACACS+ has the following advantages over RADIUS authentication:

                                  • Provides independent AAA facilities. For example, the Cisco Nexus 5000 Series switch can authorize access without authenticating.

                                  • Uses the TCP transport protocol to send data between the AAA client and server, making reliable transfers with a connection-oriented protocol.

                                  • Encrypts the entire protocol payload between the switch and the AAA server to ensure higher data confidentiality. The RADIUS protocol only encrypts passwords.

                                  User Login with TACACS+

                                  When a user attempts a Password Authentication Protocol (PAP) login to a Cisco Nexus 5000 Series switch using TACACS+, the following actions occur:

                                  1. When the Cisco Nexus 5000 Series switch establishes a connection, it contacts the TACACS+ daemon to obtain the username and password.


                                    Note


                                    TACACS+ allows an arbitrary conversation between the daemon and the user until the daemon receives enough information to authenticate the user. This action is usually done by prompting for a username and password combination, but may include prompts for other items, such as the user’s mother’s maiden name.


                                  2. The Cisco Nexus 5000 Series switch will receive one of the following responses from the TACACS+ daemon:

                                    • ACCEPT—User authentication succeeds and service begins. If the Cisco Nexus 5000 Series switch requires user authorization, authorization begins.

                                    • REJECT—User authentication failed. The TACACS+ daemon either denies further access to the user or prompts the user to retry the login sequence.

                                    • ERROR—An error occurred at some time during authentication dither at the daemon or in the network connection between the daemon and the Cisco Nexus 5000 Series switch. If the Cisco Nexus 5000 Series switch receives an ERROR response, the switch tries to use an alternative method for authenticating the user.

                                    The user also undergoes an additional authorization phase, if authorization has been enabled on the Cisco Nexus 5000 Series switch. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization.

                                  3. If TACACS+ authorization is required, the Cisco Nexus 5000 Series switch again contacts the TACACS+ daemon and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes that are used to direct the EXEC or NETWORK session for that user and determines the services that the user can access.

                                  Services include the following:

                                    • Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services

                                    • Connection parameters, including the host or client IP address (IPv4 or IPv6), access list, and user timeouts

                                  Default TACACS+ Server Encryption Type and Preshared Key

                                  You must configure the TACACS+ preshared key to authenticate the switch to the TACACS+ server. A preshared key is a secret text string shared between the Cisco Nexus 5000 Series switch and the TACACS+ server host. The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global preshared secret key for all TACACS+ server configurations on the Cisco Nexus 5000 Series switch to use.

                                  You can override the global preshared key assignment by explicitly using the key option when configuring an individual TACACS+ server.

                                  TACACS+ Server Monitoring

                                  An unresponsive TACACS+ server can delay the processing of AAA requests. A Cisco Nexus 5000 Series switch can periodically monitor an TACACS+ server to check whether it is responding (or alive) to save time in processing AAA requests. The Cisco Nexus 5000 Series switch marks unresponsive TACACS+ servers as dead and does not send AAA requests to any dead TACACS+ servers. A Cisco Nexus 5000 Series switch periodically monitors dead TACACS+ servers and brings them to the alive state once they are responding. This process verifies that a TACACS+ server is in a working state before real AAA requests are sent its way. Whenever an TACACS+ server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco Nexus 5000 Series switch displays an error message that a failure is taking place before it can impact performance.

                                  Figure 1. TACACS+ Server States


                                  Note


                                  The monitoring interval for alive servers and dead servers are different and can be configured by the user. The TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+ server.


                                  Prerequisites for TACACS+

                                  TACACS+ has the following prerequisites:

                                  • Obtain the IPv4 or IPv6 addresses or host names for the TACACS+ servers.

                                  • Obtain the preshared keys from the TACACS+ servers, if any.

                                  • Ensure that the Cisco Nexus 5000 Series switch is configured as a TACACS+ client of the AAA servers.

                                  Guidelines and Limitations for TACACS+

                                  TACACS+ has the following guidelines and limitations:

                                  • You can configure a maximum of 64 TACACS+ servers on the Cisco Nexus 5000 Series switch.

                                  Configuring TACACS+

                                  TACACS+ Server Configuration Process

                                  To configure TACACS+ servers, perform this task:

                                  SUMMARY STEPS

                                    1.    Enable TACACS+.

                                    2.    Establish the TACACS+ server connections to the Cisco Nexus 5000 Series switch.

                                    3.    Configure the preshared secret keys for the TACACS+ servers.

                                    4.    If needed, configure TACACS+ server groups with subsets of the TACACS+ servers for AAA authentication methods.

                                    5.    If needed, configure any of the following optional parameters:

                                    6.    If needed, configure periodic TACACS+ server monitoring.


                                  DETAILED STEPS
                                    Step 1   Enable TACACS+.
                                    Step 2   Establish the TACACS+ server connections to the Cisco Nexus 5000 Series switch.
                                    Step 3   Configure the preshared secret keys for the TACACS+ servers.
                                    Step 4   If needed, configure TACACS+ server groups with subsets of the TACACS+ servers for AAA authentication methods.
                                    Step 5   If needed, configure any of the following optional parameters:
                                    • Dead-time interval
                                    • Allow TACACS+ server specification at login
                                    • Timeout interval
                                    • TCP port
                                    Step 6   If needed, configure periodic TACACS+ server monitoring.

                                    Enabling TACACS+

                                    By default, the TACACS+ feature is disabled on the Cisco Nexus 5000 Series switch. To explicitly enable the TACACS+ feature to access the configuration and verification commands for authentication, perform this task:

                                    SUMMARY STEPS

                                      1.    switch# configure terminal

                                      2.    switch(config)# feature tacacs+

                                      3.    switch(config)# exit

                                      4.    (Optional) switch# copy running-config startup-config


                                    DETAILED STEPS
                                       Command or ActionPurpose
                                      Step 1 switch# configure terminal
                                       

                                      Enters configuration mode.

                                       
                                      Step 2 switch(config)# feature tacacs+
                                       

                                      Enables TACACS+.

                                       
                                      Step 3 switch(config)# exit
                                       

                                      Exits configuration mode.

                                       
                                      Step 4 switch# copy running-config startup-config
                                       
                                      (Optional)

                                      Copies the running configuration to the startup configuration.

                                       

                                      Configuring TACACS+ Server Hosts

                                      To access a remote TACACS+ server, you must configure the IPv4 or IPv6 address or the hostname for the TACACS+ server on the Cisco Nexus 5000 Series switch. All TACACS+ server hosts are added to the default TACACS+ server group.You can configure up to 64 TACACS+ servers.

                                      If a preshared key is not configured for a configured TACACS+ server, a warning message is issued if a global key is not configured. If a TACACS+ server key is not configured, the global key (if configured) is used for that server.

                                      Before you configure TACACS+ server hosts, you should do the following:

                                      • Enable TACACS+.

                                      • Obtain the IPv4 or IPv6 addresses or the hostnames for the remote TACACS+ servers.

                                      To configure TACACS+ server hosts, perform this task:

                                      SUMMARY STEPS

                                        1.    switch# configure terminal

                                        2.    switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name}

                                        3.    switch(config)# exit

                                        4.    (Optional) switch# show tacacs-server

                                        5.    (Optional) switch# copy running-config startup-config


                                      DETAILED STEPS
                                         Command or ActionPurpose
                                        Step 1 switch# configure terminal
                                         

                                        Enters configuration mode.

                                         
                                        Step 2 switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name}
                                         

                                        Specifies the IPv4 or IPv6 address or hostname for a TACACS+ server.

                                         
                                        Step 3 switch(config)# exit
                                         

                                        Exits configuration mode.

                                         
                                        Step 4 switch# show tacacs-server
                                         
                                        (Optional)

                                        Displays the TACACS+ server configuration.

                                         
                                        Step 5 switch# copy running-config startup-config
                                         
                                        (Optional)

                                        Copies the running configuration to the startup configuration.

                                         

                                        You can delete a TACACS+ server host from a server group.

                                        Configuring TACACS+ Global Preshared Keys

                                        You can configure preshared keys at the global level for all servers used by the Cisco Nexus 5000 Series switch. A preshared key is a shared secret text string between the Cisco Nexus 5000 Series switch and the TACACS+ server hosts.

                                        Before you configure preshared keys, you should do the following:

                                        • Enable TACACS+.
                                        • Obtain the preshared key values for the remote TACACS+ servers.

                                        To configure global preshared keys, perform this task:

                                        SUMMARY STEPS

                                          1.    switch# configure terminal

                                          2.    switch(config)# tacacs-server key [0 | 7] key-value

                                          3.    switch(config)# exit

                                          4.    (Optional) switch# show tacacs-server

                                          5.    (Optional) switch# copy running-config startup-config


                                        DETAILED STEPS
                                           Command or ActionPurpose
                                          Step 1 switch# configure terminal
                                           

                                          Enters configuration mode.

                                           
                                          Step 2 switch(config)# tacacs-server key [0 | 7] key-value
                                           

                                          Specifies a preshared key for all TACACS+ servers. You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key. The default format is clear text. The maximum length is 63 characters.

                                          By default, no preshared key is configured.

                                           
                                          Step 3 switch(config)# exit
                                           

                                          Exits configuration mode.

                                           
                                          Step 4 switch# show tacacs-server
                                           
                                          (Optional)

                                          Displays the TACACS+ server configuration.

                                          Note   

                                          The preshared keys are saved in encrypted form in the running configuration. Use the show running-config command to display the encrypted preshared keys.

                                           
                                          Step 5 switch# copy running-config startup-config
                                           
                                          (Optional)

                                          Copies the running configuration to the startup configuration.

                                           

                                          The following example shows how to configure global preshared keys:

                                          switch# configure terminal
                                          switch(config)# tacacs-server key 0 QsEfThUkO
                                          switch(config)# exit
                                          switch# show tacacs-server
                                          switch# copy running-config startup-config
                                          Related Information

                                          Configuring TACACS+ Server Preshared Keys

                                          You can configure preshared keys for a TACACS+ server. A preshared key is a shared secret text string between the Cisco Nexus 5000 Series switch and the TACACS+ server host.

                                          To configure the TACACS+ preshared keys, perform this task:

                                          SUMMARY STEPS

                                            1.    switch# configure terminal

                                            2.    switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} key [0 | 7] key-value

                                            3.    switch(config)# exit

                                            4.    (Optional) switch# show tacacs-server

                                            5.    (Optional) switch# copy running-config startup-config


                                          DETAILED STEPS
                                             Command or ActionPurpose
                                            Step 1 switch# configure terminal
                                             

                                            Enters configuration mode.

                                             
                                            Step 2 switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} key [0 | 7] key-value
                                             

                                            Specifies a preshared key for a specific TACACS+ server. You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key. The default format is clear text. The maximum length is 63 characters.

                                            This preshared key is used instead of the global preshared key.

                                             
                                            Step 3 switch(config)# exit
                                             

                                            Exits configuration mode.

                                             
                                            Step 4 switch# show tacacs-server
                                             
                                            (Optional)

                                            Displays the TACACS+ server configuration.

                                            Note   

                                            The preshared keys are saved in encrypted form in the running configuration. Use the show running-config command to display the encrypted preshared keys.

                                             
                                            Step 5 switch# copy running-config startup-config
                                             
                                            (Optional)

                                            Copies the running configuration to the startup configuration.

                                             

                                            The following example shows how to configure the TACACS+ preshared keys:

                                            switch# configure terminal
                                            
                                            switch(config)# tacacs-server host 10.10.1.1 key 0 PlIjUhYg
                                            
                                            switch(config)# exit
                                            
                                            switch# show tacacs-server
                                            
                                            switch# copy running-config startup-config
                                            

                                            Configuring TACACS+ Server Groups

                                            You can specify one or more remote AAA servers to authenticate users using server groups. All members of a group must belong to the TACACS+ protocol. The servers are tried in the same order in which you configure them.

                                            You can configure these server groups at any time but they only take effect when you apply them to an AAA service.

                                            To configure TACACS+ server groups, perform this task:

                                            SUMMARY STEPS

                                              1.    switch# configure terminal

                                              2.    switch(config)# aaa group server tacacs+ group-name

                                              3.    switch(config-tacacs+)# server {ipv4-address | ipv6-address | host-name}

                                              4.    (Optional) switch(config-tacacs+)# deadtime minutes

                                              5.    switch(config-tacacs+)# exit

                                              6.    (Optional) switch(config)# show tacacs-server groups

                                              7.    (Optional) switch(config)# copy running-config startup-config


                                            DETAILED STEPS
                                               Command or ActionPurpose
                                              Step 1 switch# configure terminal
                                               

                                              Enters configuration mode.

                                               
                                              Step 2 switch(config)# aaa group server tacacs+ group-name
                                               

                                              Creates a TACACS+ server group and enters the TACACS+ server group configuration mode for that group.

                                               
                                              Step 3 switch(config-tacacs+)# server {ipv4-address | ipv6-address | host-name}
                                               

                                              Configures the TACACS+ server as a member of the TACACS+ server group.

                                              If the specified TACACS+ server is not found, configure it using the tacacs-server host command and retry this command.

                                               
                                              Step 4 switch(config-tacacs+)# deadtime minutes
                                               
                                              (Optional)

                                              Configures the monitoring dead time. The default is 0 minutes. The range is from 0 through 1440.

                                              Note   

                                              If the dead-time interval for a TACACS+ server group is greater than zero (0), that value takes precedence over the global dead-time value.

                                               
                                              Step 5 switch(config-tacacs+)# exit
                                               

                                              Exits configuration mode.

                                               
                                              Step 6 switch(config)# show tacacs-server groups
                                               
                                              (Optional)

                                              Displays the TACACS+ server group configuration.

                                               
                                              Step 7 switch(config)# copy running-config startup-config
                                               
                                              (Optional)

                                              Copies the running configuration to the startup configuration.

                                               

                                              The following example shows how to configure a TACACS+ server group:

                                              switch# configure terminal
                                              
                                              switch(config)# aaa group server tacacs+ TacServer
                                              
                                              switch(config-tacacs+)# server 10.10.2.2
                                              
                                              switch(config-tacacs+)# deadtime 30
                                              
                                              switch(config-tacacs+)# exit
                                              
                                              switch(config)# show tacacs-server groups
                                              
                                              switch(config)# copy running-config startup-config
                                              

                                              Specifying a TACACS+ Server at Login

                                              You can configure the switch to allow the user to specify which TACACS+ server to send the authenticate request by enabling the directed-request option. By default, a Cisco Nexus 5000 Series switch forwards an authentication request based on the default AAA authentication method. If you enable this option, the user can log in as username@hostname , where hostname is the name of a configured RADIUS server.


                                              Note


                                              User specified logins are only supported for Telnet sessions.


                                              To specify a TACACS+ server at login, perform this task:

                                              SUMMARY STEPS

                                                1.    switch# configure terminal

                                                2.    switch(config)# tacacs-server directed-request

                                                3.    switch(config)# exit

                                                4.    (Optional) switch# show tacacs-server directed-request

                                                5.    (Optional) switch# copy running-config startup-config


                                              DETAILED STEPS
                                                 Command or ActionPurpose
                                                Step 1 switch# configure terminal
                                                 

                                                Enters configuration mode.

                                                 
                                                Step 2 switch(config)# tacacs-server directed-request
                                                 

                                                Allows users to specify a TACACS+ server to send the authentication request when logging in. The default is disabled.

                                                 
                                                Step 3 switch(config)# exit
                                                 

                                                Exits configuration mode.

                                                 
                                                Step 4 switch# show tacacs-server directed-request
                                                 
                                                (Optional)

                                                Displays the TACACS+ directed request configuration.

                                                 
                                                Step 5 switch# copy running-config startup-config
                                                 
                                                (Optional)

                                                Copies the running configuration to the startup configuration.

                                                 

                                                Configuring the Global TACACS+ Timeout Interval

                                                You can set a global timeout interval that the Cisco Nexus 5000 Series switch waits for responses from all TACACS+ servers before declaring a timeout failure. The timeout interval determines how long the switch waits for responses from TACACS+ servers before declaring a timeout failure.

                                                To specify a TACACS+ global timeout interval, perform this task:

                                                SUMMARY STEPS

                                                  1.    switch# configure terminal

                                                  2.    switch(config)# tacacs-server timeout seconds

                                                  3.    switch(config)# exit

                                                  4.    (Optional) switch# show tacacs-server

                                                  5.    (Optional) switch# copy running-config startup-config


                                                DETAILED STEPS
                                                   Command or ActionPurpose
                                                  Step 1 switch# configure terminal
                                                   

                                                  Enters configuration mode.

                                                   
                                                  Step 2 switch(config)# tacacs-server timeout seconds
                                                   

                                                  Specifies the timeout interval for TACACS+ servers. The default timeout interval is 5 second and the range is from 1 to 60 seconds.

                                                   
                                                  Step 3 switch(config)# exit
                                                   

                                                  Exits configuration mode.

                                                   
                                                  Step 4 switch# show tacacs-server
                                                   
                                                  (Optional)

                                                  Displays the TACACS+ server configuration.

                                                   
                                                  Step 5 switch# copy running-config startup-config
                                                   
                                                  (Optional)

                                                  Copies the running configuration to the startup configuration.

                                                   

                                                  Configuring the Timeout Interval for a Server

                                                  You can set a timeout interval that the Cisco Nexus 5000 Series switch waits for responses from a TACACS+ server before declaring a timeout failure. The timeout interval determines how long the switch waits for responses from a TACACS+ server before declaring a timeout failure.

                                                  To configure the timeout interval for a server, perform this task:

                                                  SUMMARY STEPS

                                                    1.    switch# configure terminal

                                                    2.    switch(config)# switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} timeout seconds

                                                    3.    switch(config)# exit

                                                    4.    (Optional) switch# show tacacs-server

                                                    5.    (Optional) switch# copy running-config startup-config


                                                  DETAILED STEPS
                                                     Command or ActionPurpose
                                                    Step 1 switch# configure terminal
                                                     

                                                    Enters configuration mode.

                                                     
                                                    Step 2 switch(config)# switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} timeout seconds
                                                     

                                                    Specifies the timeout interval for a specific server. The default is the global value.

                                                    Note   

                                                    The timeout interval value specified for a TACACS+ server overrides the global timeout interval value specified for all TACACS+ servers.

                                                     
                                                    Step 3 switch(config)# exit
                                                     

                                                    Exits configuration mode.

                                                     
                                                    Step 4 switch# show tacacs-server
                                                     
                                                    (Optional)

                                                    Displays the TACACS+ server configuration.

                                                     
                                                    Step 5 switch# copy running-config startup-config
                                                     
                                                    (Optional)

                                                    Copies the running configuration to the startup configuration.

                                                     

                                                    Configuring TCP Ports

                                                    You can configure another TCP port for the TACACS+ servers if there are conflicts with another application. By default, Cisco Nexus 5000 Series switches use port 49 for all TACACS+ requests.

                                                    To configure TCP ports, perform this task:

                                                    SUMMARY STEPS

                                                      1.    switch# configure terminal

                                                      2.    switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} port tcp-port

                                                      3.    switch(config)# exit

                                                      4.    (Optional) switch# show tacacs-server

                                                      5.    (Optional) switch# copy running-config startup-config


                                                    DETAILED STEPS
                                                       Command or ActionPurpose
                                                      Step 1 switch# configure terminal
                                                       

                                                      Enters configuration mode.

                                                       
                                                      Step 2 switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} port tcp-port
                                                       

                                                      Specifies the UDP port to use for TACACS+ accounting messages.The default TCP port is 49. The range is from 1 to 65535.

                                                       
                                                      Step 3 switch(config)# exit
                                                       

                                                      Exits configuration mode.

                                                       
                                                      Step 4 switch# show tacacs-server
                                                       
                                                      (Optional)

                                                      Displays the TACACS+ server configuration.

                                                       
                                                      Step 5 switch# copy running-config startup-config
                                                       
                                                      (Optional)

                                                      Copies the running configuration to the startup configuration.

                                                       

                                                      The following example shows how to configure TCP ports:

                                                      switch# configure terminal
                                                      
                                                      switch(config)# tacacs-server host 10.10.1.1 port 2
                                                      
                                                      switch(config)# exit
                                                      
                                                      switch# show tacacs-server
                                                      
                                                      switch# copy running-config startup-config
                                                      

                                                      Configuring Periodic TACACS+ Server Monitoring

                                                      You can monitor the availability of TACACS+ servers. These parameters include the username and password to use for the server and an idle timer. The idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco Nexus 5000 Series switch sends out a test packet.You can configure this option to test servers periodically, or you can run a one-time only test.


                                                      Note


                                                      To protect network security, we recommend that you use a user name that is not the same as an existing username in the TACACS+ database.


                                                      The test idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco Nexus 5000 Series switch sends out a test packet.


                                                      Note


                                                      The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.


                                                      To configure periodic TACACS+ server monitoring, perform this task:

                                                      SUMMARY STEPS

                                                        1.    switch# configure terminal

                                                        2.    switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} test {idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]}

                                                        3.    switch(config)# tacacs-server dead-time minutes

                                                        4.    switch(config)# exit

                                                        5.    (Optional) switch# show tacacs-server

                                                        6.    (Optional) switch# copy running-config startup-config


                                                      DETAILED STEPS
                                                         Command or ActionPurpose
                                                        Step 1 switch# configure terminal
                                                         

                                                        Enters configuration mode.

                                                         
                                                        Step 2 switch(config)# tacacs-server host {ipv4-address | ipv6-address | host-name} test {idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]}
                                                         

                                                        Specifies parameters for server monitoring. The default username is test and the default password is test. The default value for the idle timer is 0 minutes and the valid range is 0 to 1440 minutes.

                                                        Note   

                                                        For periodic TACACS+ server monitoring, the idle timer value must be greater than 0.

                                                         
                                                        Step 3 switch(config)# tacacs-server dead-time minutes
                                                         

                                                        Specifies the number minutes before the Cisco Nexus 5000 Series switch checks a TACACS+ server that was previously unresponsive. The default value is 0 minutes and the valid range is 0 to 1440 minutes.

                                                         
                                                        Step 4 switch(config)# exit
                                                         

                                                        Exits configuration mode.

                                                         
                                                        Step 5 switch# show tacacs-server
                                                         
                                                        (Optional)

                                                        Displays the TACACS+ server configuration.

                                                         
                                                        Step 6 switch# copy running-config startup-config
                                                         
                                                        (Optional)

                                                        Copies the running configuration to the startup configuration.

                                                         

                                                        The following example shows how to configure periodic TACACS+ server monitoring:

                                                        switch# configure terminal
                                                        
                                                        switch(config)# tacacs-server host 10.10.1.1 test username user1 password Ur2Gd2BH idle-time 3
                                                        
                                                        switch(config)# tacacs-server dead-time 5
                                                        
                                                        switch(config)# exit
                                                        
                                                        switch# show tacacs-server
                                                        
                                                        switch# copy running-config startup-config
                                                        

                                                        Configuring the Dead-Time Interval

                                                        You can configure the dead-time interval for all TACACS+ servers. The dead-time interval specifies the time that the Cisco Nexus 5000 Series switch waits, after declaring a TACACS+ server is dead, before sending out a test packet to determine if the server is now alive.


                                                        Note


                                                        When the dead-timer interval is 0 minutes, TACACS+ servers are not marked as dead even if they are not responding. You can configure the dead-timer per group.


                                                        To configure the dead-time interval for all TACACS+ servers, perform this task:

                                                        SUMMARY STEPS

                                                          1.    switch# configure terminal

                                                          2.    switch(config)# tacacs-server deadtime minutes

                                                          3.    switch(config)# exit

                                                          4.    (Optional) switch# show tacacs-server

                                                          5.    (Optional) switch# copy running-config startup-config


                                                        DETAILED STEPS
                                                           Command or ActionPurpose
                                                          Step 1 switch# configure terminal
                                                           

                                                          Enters configuration mode.

                                                           
                                                          Step 2 switch(config)# tacacs-server deadtime minutes
                                                           

                                                          Configures the global dead-time interval. The default value is 0 minutes. The range is from 1 to 1440 minutes.

                                                           
                                                          Step 3 switch(config)# exit
                                                           

                                                          Exits configuration mode.

                                                           
                                                          Step 4 switch# show tacacs-server
                                                           
                                                          (Optional)

                                                          Displays the TACACS+ server configuration.

                                                           
                                                          Step 5 switch# copy running-config startup-config
                                                           
                                                          (Optional)

                                                          Copies the running configuration to the startup configuration.

                                                           

                                                          Manually Monitoring TACACS+ Servers or Groups

                                                          To manually issue a test message to a TACACS+ server or to a server group, perform this task:

                                                          SUMMARY STEPS

                                                            1.    switch# test aaa server tacacs+ {ipv4-address | ipv6-address | host-name} [vrf vrf-name] username password

                                                            2.    switch# test aaa group group-name username password


                                                          DETAILED STEPS
                                                             Command or ActionPurpose
                                                            Step 1 switch# test aaa server tacacs+ {ipv4-address | ipv6-address | host-name} [vrf vrf-name] username password
                                                             

                                                            Sends a test message to a TACACS+ server to confirm availability.

                                                             
                                                            Step 2 switch# test aaa group group-name username password
                                                             

                                                            Sends a test message to a TACACS+ server group to confirm availability.

                                                             

                                                            The following example shows how to manually issue a test message:

                                                            switch# test aaa server tacacs+ 10.10.1.1 user1 Ur2Gd2BH
                                                            
                                                            switch# test aaa group TacGroup user2 As3He3CI
                                                            

                                                            Disabling TACACS+

                                                            You can disable TACACS+.


                                                            Caution


                                                            When you disable TACACS+, all related configurations are automatically discarded.


                                                            To disable TACACS+, perform this task:

                                                            SUMMARY STEPS

                                                              1.    switch# configure terminal

                                                              2.    switch(config)# no feature tacacs+

                                                              3.    switch(config)# exit

                                                              4.    (Optional) switch# copy running-config startup-config


                                                            DETAILED STEPS
                                                               Command or ActionPurpose
                                                              Step 1 switch# configure terminal
                                                               

                                                              Enters configuration mode.

                                                               
                                                              Step 2 switch(config)# no feature tacacs+
                                                               

                                                              Disables TACACS+.

                                                               
                                                              Step 3 switch(config)# exit
                                                               

                                                              Exits configuration mode.

                                                               
                                                              Step 4 switch# copy running-config startup-config
                                                               
                                                              (Optional)

                                                              Copies the running configuration to the startup configuration.

                                                               

                                                              Displaying TACACS+ Statistics

                                                              To display the statistics the Cisco Nexus 5000 Series switch maintains for TACACS+ activity, perform this task:

                                                              SUMMARY STEPS

                                                                1.    switch# show tacacs-server statistics {hostname | ipv4-address | ipv6-address}


                                                              DETAILED STEPS
                                                                 Command or ActionPurpose
                                                                Step 1 switch# show tacacs-server statistics {hostname | ipv4-address | ipv6-address}
                                                                 

                                                                Displays the TACACS+ statistics.

                                                                 

                                                                For detailed information about the fields in the output from this command, see the Cisco Nexus 5000 Series Command Reference.

                                                                Verifying TACACS+ Configuration

                                                                To display TACACS+ configuration information, perform one of the following tasks:

                                                                SUMMARY STEPS

                                                                  1.    switch# show tacacs+ {status | pending | pending-diff}

                                                                  2.    switch# show running-config tacacs [all]

                                                                  3.    switch# show startup-config tacacs

                                                                  4.    switch# show tacacs-serve [host-name | ipv4-address | ipv6-address] [directed-request | groups | sorted | statistics]


                                                                DETAILED STEPS
                                                                   Command or ActionPurpose
                                                                  Step 1 switch# show tacacs+ {status | pending | pending-diff}
                                                                   
                                                                  Displays the TACACS+ Cisco Fabric Services distribution status and other details. 
                                                                  Step 2 switch# show running-config tacacs [all]
                                                                   

                                                                  Displays the TACACS+ configuration in the running configuration.

                                                                   
                                                                  Step 3 switch# show startup-config tacacs
                                                                   

                                                                  Displays the TACACS+ configuration in the startup configuration.

                                                                   
                                                                  Step 4 switch# show tacacs-serve [host-name | ipv4-address | ipv6-address] [directed-request | groups | sorted | statistics]
                                                                   

                                                                  Displays all configured TACACS+ server parameters.

                                                                   

                                                                  Example TACACS+ Configuration

                                                                  The following example shows how to configure TACACS+:

                                                                  switch# configure terminal
                                                                  
                                                                  switch(config)# feature tacacs+
                                                                  
                                                                  switch(config)# tacacs-server key 7 "ToIkLhPpG"
                                                                  
                                                                  switch(config)# tacacs-server host 10.10.2.2 key 7 "ShMoMhTl"
                                                                  
                                                                  switch(config)# aaa group server tacacs+ TacServer
                                                                  
                                                                  switch(config-tacacs+)# server 10.10.2.2
                                                                  
                                                                  switch(config-tacacs+)# use-vrf management
                                                                  

                                                                  Default TACACS+ Settings

                                                                  The following table lists the default settings for TACACS+ parameters.

                                                                  Table 1  Default TACACS+ Parameters

                                                                  Parameters

                                                                  Default

                                                                  TACACS+

                                                                  Disabled

                                                                  Dead timer interval

                                                                  0 minutes

                                                                  Timeout interval

                                                                  5 seconds

                                                                  Idle timer interval

                                                                  0 minutes

                                                                  Periodic server monitoring username

                                                                  test

                                                                  Periodic server monitoring password

                                                                  test