The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following sections:
Your software release might not support all the features documented in this module. For the latest caveats and feature information, see the Bug Search Tool at https://tools.cisco.com/bugsearch/ and the release notes for your software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "New and Changed Information"chapter or the Feature History table in this chapter.
The TACACS+ security protocol provides centralized validation of users attempting to gain access to a Cisco NX-OS device. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your Cisco NX-OS device are available.
TACACS+ provides for separate authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service—authentication, authorization, and accounting—independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.
The TACACS+ client/server protocol uses TCP (TCP port 49) for transport requirements. Cisco NX-OS devices provide centralized authentication using the TACACS+ protocol.
TACACS+ has the following advantages over RADIUS authentication:
Provides independent AAA facilities. For example, the Cisco NX-OS device can authorize access without authenticating.
Uses the TCP transport protocol to send data between the AAA client and server, making reliable transfers with a connection-oriented protocol.
Encrypts the entire protocol payload between the switch and the AAA server to ensure higher data confidentiality. The RADIUS protocol only encrypts passwords.
When a user attempts a Password Authentication Protocol (PAP) login to a Cisco NX-OS device using TACACS+, the following actions occur:
 Note |
TACACS+ allows an arbitrary conversation between the daemon and the user until the daemon receives enough information to authenticate the user. This action is usually done by prompting for a username and password combination, but may include prompts for other items, such as your mother’s maiden name. |
When the Cisco NX-OS device establishes a connection, it contacts the TACACS+ daemon to obtain the username and password.
The Cisco NX-OS device will eventually receive one of the following responses from the TACACS+ daemon:
After authentication, the user also undergoes an additional authorization phase if authorization has been enabled on the NX-OS device. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization.
If TACACS+ authorization is required, the Cisco NX-OS device again contacts the TACACS+ daemon and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes that are used to direct the EXEC or NETWORK session for that user and determines the services that the user can access.
Services include the following:
Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services
Connection parameters, including the host or client IP address (IPv4 or IPv6), access list, and user timeouts
You must configure the TACACS+ secret key to authenticate the switch to the TACACS+ server. A secret key is a secret text string shared between the Cisco NX-OS device and the TACACS+ server host. The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global secret key for all TACACS+ server configurations on the Cisco NX-OS device to use.
You can override the global secret key assignment by explicitly using the key option when configuring an individual TACACS+ server.
By default, command authorization is done against a local database in the Cisco NX-OS software when an authenticated user enters a command at the command-line interface (CLI). You can also verify authorized commands for authenticated users using TACACS+.
An unresponsive TACACS+ server can delay the processing of AAA requests. A Cisco NX-OS device can periodically monitor a TACACS+ server to check whether it is responding (or alive) to save time in processing AAA requests. The Cisco NX-OS device marks unresponsive TACACS+ servers as dead and does not send AAA requests to any dead TACACS+ servers. A Cisco NX-OS device periodically monitors dead TACACS+ servers and brings them to the alive state once they are responding. This process verifies that a TACACS+ server is in a working state before real AAA requests are sent its way. Whenever a TACACS+ server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco NX-OS device displays an error message that a failure is taking place before it can impact performance.
Note |
The monitoring interval for alive servers and dead servers are different and can be configured by the user. The TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+ server. |
Cisco Fabric Services (CFS) allows the Cisco NX-OS device to distribute the TACACS+ configuration to other Cisco NX-OS devices in the network. When you enable CFS distribution for a feature on your device, the device belongs to a CFS region containing other devices in the network that you have also enabled for CFS distribution for the feature. CFS distribution for TACACS+ is disabled by default.
Note |
You must explicitly enable CFS for TACACS+ on each device to which you want to distribute configuration changes. |
After you enable CFS distribution for TACACS+ on your Cisco NX-OS device, the first TACACS+ configuration command that you enter causes the Cisco NX-OS software to take the following actions:
Creates a CFS session on your Cisco NX-OS device.
Locks the TACACS+ configuration on all Cisco NX-OS devices in the CFS region with CFS enabled for TACACS+.
Saves the TACACS+ configuration changes in a temporary buffer on the Cisco NX-OS device.
The changes stay in the temporary buffer on the Cisco NX-OS device until you explicitly commit them to be distributed to the devices in the CFS region. When you commit the changes, the Cisco NX-OS software takes the following actions:
Applies the changes to the running configuration on your Cisco NX-OS device.
Distributes the updated TACACS+ configuration to the other Cisco NX-OS devices in the CFS region.
Unlocks the TACACS+ configuration in the devices in the CFS region.
Terminates the CFS session.
CFS does not distribute the TACACS+ server group configuration, periodic TACACS+ server testing configurations, or server and global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices.
For detailed information on CFS, see the Cisco Nexus 7000 Series NX-OS System Management Configuration Guide.
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the TACACS+ server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use.
The Cisco TACACS+ implementation supports one vendor-specific option using the format recommended in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:
protocol : attribute separator value *
The protocol is a Cisco attribute for a particular type of authorization, the separator is = (equal sign) for mandatory attributes, and * (asterisk) indicates optional attributes.
When you use TACACS+ servers for authentication on a Cisco NX-OS device, the TACACS+ protocol directs the TACACS+ server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs.
The following VSA protocol options are supported by the Cisco NX-OS software:
The Cisco NX-OS software supports the following attributes:
Lists all the roles to which the user belongs. The value field is a string that lists the role names delimited by white space. For example, if the user belongs to roles network-operator and vdc-admin, the value field would be network-operator vdc-admin. This subattribute, which the TACACS+ server sends in the VSA portion of the Access-Accept frames, can only be used with the shell protocol value. The following examples show the roles attribute as supported by Cisco ACS:
shell:roles=network-operator vdc-admin
shell:roles*network-operator vdc-admin
Note |
When you specify a VSA as shell:roles*"network-operator vdc-admin", this VSA is flagged as an optional attribute and other Cisco devices ignore this attribute. |
TACACS+ has the following prerequisites:
Obtain the IPv4 or IPv6 addresses or hostnames for the TACACS+ servers.
Obtain the secret keys from the TACACS+ servers, if any.
Ensure that the Cisco NX-OS device is configured as a TACACS+ client of the AAA servers.
TACACS+ has the following guidelines and limitations:
You may get the following error message sporadically after you have configured a TACACS+ server host followed by the AAA configuration to actually use the host:
%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respondThis is a known issue from Cisco NX-OS Release 8.0(1) onwards and there is no workaround. If the remote authentication works properly without any TACACS server connectivity issue, you can ignore the message and continue with your further configuration.
You can configure a maximum of 64 TACACS+ servers on the Cisco NX-OS device.
If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
Cisco recommends that you configure the dead-time interval if more than six servers are configured in a group. If you must configure more than six servers, make sure to set the dead-time interval to a value greater than 0 and enable dead server monitoring by configuring the test username and test password.
This table lists the default settings for TACACS+ parameters.
|
Parameters |
Default |
|---|---|
|
TACACS+ |
Disabled |
|
Dead timer interval |
0 minutes |
|
Timeout interval |
5 seconds |
|
Idle timer interval |
0 minutes |
|
Periodic server monitoring username |
test |
|
Periodic server monitoring password |
test |
This section describes how to configure TACACS+ on a Cisco NX-OS device.
Note |
If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use. |
|
Step 1 |
Enable TACACS+. |
|
Step 2 |
If needed, enable CFS configuration distribution for TACACS+. |
|
Step 3 |
Establish the TACACS+ server connections to the Cisco NX-OS device. |
|
Step 4 |
Configure the secret keys for the TACACS+ servers. |
|
Step 5 |
If needed, configure TACACS+ server groups with subsets of the TACACS+ servers for AAA authentication methods. |
|
Step 6 |
(Optional) Configure the TCP port. |
|
Step 7 |
(Optional) If needed, configure periodic TACACS+ server monitoring. |
|
Step 8 |
(Optional) If TACACS+ distribution is enabled, commit the TACACS+ configuration to the fabric. |
By default, the TACACS+ feature is disabled on the Cisco NX-OS device. You must explicitly enable the TACACS+ feature to access the configuration and verification commands for authentication.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
feature tacacs+ Example: |
Enables TACACS+. |
|
Step 3 |
exit Example: |
Exits configuration mode. |
|
Step 4 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
To access a remote TACACS+ server, you must configure the IP address or the hostname for the TACACS+ server on the Cisco NX-OS device. You can configure up to 64 TACACS+ servers.
Note |
By default, when you configure a TACACS+ server IP address or hostname on the Cisco NX-OS device, the TACACS+ server is added to the default TACACS+ server group. You can also add the TACACS+ server to another TACACS+ server group. |
Enable TACACS+.
Obtain the IPv4 or IPv6 addresses or the hostnames for the remote TACACS+ servers.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
tacacs-server host {host-name | ipv4-address | ipv6-address} [key [0 | 6 | 7] shared-secret] [port port-number] [timeout seconds] [single-connection] Example: |
Specifies the IPv4 or IPv6 address or hostname for a TACACS+ server. Use the single-connection option to improve performance by configuring a single TACACS+ connection. Rather than have the device open and close a TCP connection to the daemon each time it must communicate, this option maintains a single open connection between the device and the daemon. |
|
Step 3 |
(Optional) show tacacs+ {pending | pending-diff} Example: |
(Optional)
Displays the TACACS+ configuration pending for distribution. |
|
Step 4 |
(Optional) tacacs+ commit Example: |
(Optional)
Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes TACACS+ configuration to other NX-OS devices if you have enabled CFS configuration distribution for the user role feature. |
|
Step 5 |
exit Example: |
Exits configuration mode. |
|
Step 6 |
(Optional) show tacacs-server Example: |
(Optional)
Displays the TACACS+ server configuration. |
|
Step 7 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure secret TACACS+ keys at the global level for all servers used by the Cisco NX-OS device. A secret key is a shared secret text string between the Cisco NX-OS device and the TACACS+ server hosts.
Note |
CFS does not distribute the TACACS+ global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices. |
Enable TACACS+.
Obtain the secret key values for the remote TACACS+ servers.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 2 |
tacacs-server key [0 | 7] key-value Example: |
Specifies a TACACS+ key for all TACACS+ server. You can specify that the key-value is in clear text format (0 ) or is type-7 encrypted (7 ). The Cisco NX-OS software encrypts a clear text key before saving it to the running configuration. The default format is clear text. The maximum length is 63 characters. By default, no secret key is configured. |
||
|
Step 3 |
exit Example: |
Exits configuration mode. |
||
|
Step 4 |
(Optional) show tacacs-server Example: |
(Optional)
Displays the TACACS+ server configuration.
|
||
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure secret keys for a TACACS+ server. A secret key is a shared secret text string between the Cisco NX-OS device and the TACACS+ server host.
Note |
CFS does not distribute the TACACS+ server keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices. |
Enable TACACS+.
Obtain the secret key values for the remote TACACS+ servers.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 2 |
tacacs-server host {ipv4-address | ipv6-address | host-name} key [0 | 6 | 7] key-value Example: |
If no key is specified, NX-OS software assumes the key-value to be clear text and encrypts it using type-7 encryption before saving it to running configuration. The maximum length of key-value is 63 characters This secret key is used instead of the global secret key.
|
||
|
Step 3 |
exit Example: |
Exits configuration mode. |
||
|
Step 4 |
(Optional) show tacacs-server Example: |
(Optional)
Displays the TACACS+ server configuration.
|
||
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can specify one or more remote AAA servers to authenticate users using server groups. All members of a group must belong to the TACACS+ protocol. The servers are tried in the same order in which you configure them.
You can configure these server groups at any time but they only take effect when you apply them to an AAA service.
Note |
CFS does not distribute the TACACS+ server group configuration. |
Enable TACACS+.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
tacacs-server host {host-name | ipv4-address | ipv6-address} [key [0 | 6 | 7] shared-secret] [port port-number] [timeout seconds] [single-connection] Example: |
Specifies the IPv4 or IPv6 address or hostname for a TACACS+ server. Use the single-connection option to improve performance by configuring a single TACACS+ connection. Rather than have the device open and close a TCP connection to the daemon each time it must communicate, this option maintains a single open connection between the device and the daemon. |
|
Step 3 |
aaa group server tacacs+ group-name Example: |
Creates a TACACS+ server group and enters the TACACS+ server group configuration mode for that group. |
|
Step 4 |
server {ipv4-address | ipv6-address | host-name} Example: |
Configures the TACACS+ server as a member of the TACACS+ server group. If the specified TACACS+ server is not found, configure it using the tacacs-server host command and retry this command. |
|
Step 5 |
exit Example: |
Exits TACACS+ server group configuration mode. |
|
Step 6 |
(Optional) show tacacs-server groups Example: |
(Optional)
Displays the TACACS+ server group configuration. |
|
Step 7 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure a global source interface for TACACS+ server groups to use when accessing TACACS+ servers. You can also configure a different source interface for a specific TACACS+ server group. By default, the Cisco NX-OS software uses any available interface.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
ip tacacs source-interface interface Example: |
Configures the global source interface for all TACACS+ server groups configured on the device. |
|
Step 3 |
exit Example: |
Exits configuration mode. |
|
Step 4 |
(Optional) show tacacs-server Example: |
(Optional)
Displays the TACACS+ server configuration information. |
|
Step 5 |
(Optional) copy running-config startup config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure the switch to allow the user to specify which TACACS+ server to send the authentication request by enabling the directed-request option. By default, a Cisco NX-OS device forwards an authentication request based on the default AAA authentication method. If you enable this option, the user can log in as username@vrfname:hostname , where vrfname is the VRF to use and hostname is the name of a configured TACACS+ server.
Note |
If you enable the directed-request option, the Cisco NX-OS device uses only the TACACS+ method for authentication and not the default local method. |
Note |
User-specified logins are supported only for Telnet sessions. |
Enable TACACS+.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
tacacs-server directed-request Example: |
Allows users to specify a TACACS+ server to send the authentication request when logging in. The default is disabled. |
|
Step 3 |
(Optional) show tacacs+ {pending | pending-diff} Example: |
(Optional)
Displays the pending TACACS+ configuration. |
|
Step 4 |
(Optional) tacacs+ commit Example: |
(Optional)
Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes TACACS+ configuration to other NX-OS devices if you have enabled CFS configuration distribution for the user role feature. |
|
Step 5 |
exit Example: |
Exits configuration mode. |
|
Step 6 |
(Optional) show tacacs-server directed-request Example: |
(Optional)
Displays the TACACS+ directed request configuration. |
|
Step 7 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can set a global timeout interval that the device waits for responses from all TACACS+ servers before declaring a timeout failure. The timeout interval determines how long the device waits for responses from TACACS+ servers before declaring a timeout failure.
Enable TACACS+.
|
Step 1 |
From the Feature Selector pane, choose Security > AAA > Server Groups. |
|
Step 2 |
From the Summary pane, double-click the device to display the server groups. |
|
Step 3 |
Click Default TACACS Server Group. |
|
Step 4 |
From the Details pane, click the Global Settings tab. |
|
Step 5 |
In the Time out(secs) field, enter the number of seconds for the timeout interval. |
|
Step 6 |
From the menu bar, choose File > Deploy to apply your changes to the device. |
You can set a timeout interval that the Cisco NX-OS device waits for responses from a TACACS+ server before declaring a timeout failure. The timeout interval determines how long the Cisco NX-OS device waits for responses from a TACACS+ server before declaring a timeout failure.
Enable TACACS+.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 2 |
tacacs-server host {ipv4-address | ipv6-address | host-name} timeout seconds Example: |
Specifies the timeout interval for a specific server. The default is the global value.
|
||
|
Step 3 |
(Optional) show tacacs+ {pending | pending-diff} Example: |
(Optional)
Displays the TACACS+ configuration pending for distribution. |
||
|
Step 4 |
(Optional) tacacs+ commit Example: |
(Optional)
Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes the TACACS+ configuration to other Cisco NX-OS devices if you have enabled CFS configuration distribution for the user role feature. |
||
|
Step 5 |
exit Example: |
Exits configuration mode. |
||
|
Step 6 |
(Optional) show tacacs-server Example: |
(Optional)
Displays the TACACS+ server configuration. |
||
|
Step 7 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure another TCP port for the TACACS+ servers if there are conflicts with another application. By default, Cisco NX-OS devices use port 49 for all TACACS+ requests.
Enable TACACS+.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
tacacs-server host {ipv4-address | ipv6-address | host-name} port tcp-port Example: |
Specifies the TCP port to use for TACACS+ messages to the server. The default TCP port is 49. The range is from 1 to 65535. |
|
Step 3 |
(Optional) show tacacs+ {pending | pending-diff} Example: |
(Optional)
Displays the TACACS+ configuration pending for distribution. |
|
Step 4 |
(Optional) tacacs+ commit Example: |
(Optional)
Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes TACACS+ configuration to other NX-OS devices if you have enabled CFS configuration distribution for the user role feature. |
|
Step 5 |
exit Example: |
Exits configuration mode. |
|
Step 6 |
(Optional) show tacacs-server Example: |
(Optional)
Displays the TACACS+ server configuration. |
|
Step 7 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can monitor the availability of individual TACACS+ servers. The configuration parameters include the username and password to use for the server and an idle timer. The idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco NX-OS device sends out a test packet. You can configure this option to test servers periodically, or you can run a one-time only test.
Note |
To protect network security, we recommend that you use a username that is not the same as an existing username in the TACACS+ database. |
Note |
The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed. |
Enable TACACS+.
Add one or more TACACS+ server hosts.
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 2 |
tacacs-server host {ipv4-address | ipv6-address | host-name} test {idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]} Example: |
Specifies parameters for individual server monitoring. The default username is test, and the default password is test. The default value for the idle timer is 0 minutes, and the valid range is from 0 to 1440 minutes.
|
||
|
Step 3 |
tacacs-server dead-time minutes Example: |
Specifies the number of minutes before the Cisco NX-OS device checks a TACACS+ server that was previously unresponsive. The default value is 0 minutes, and the valid range is from 0 to 1440 minutes. |
||
|
Step 4 |
exit Example: |
Exits configuration mode. |
||
|
Step 5 |
(Optional) show tacacs-server Example: |
(Optional)
Displays the TACACS+ server configuration. |
||
|
Step 6 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure the dead-time interval for all TACACS+ servers. The dead-time interval specifies the time that the Cisco NX-OS device waits, after declaring a TACACS+ server is dead, before sending out a test packet to determine if the server is now alive.
Note |
When the dead-timer interval is 0 minutes, TACACS+ servers are not marked as dead even if they are not responding. You can configure the dead-timer per group. |
Enable TACACS+.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
tacacs-server deadtime minutes Example: |
Configures the global dead-time interval. The default value is 0 minutes. The range is from 1 to 1440 minutes. |
|
Step 3 |
(Optional) show tacacs+ {pending | pending-diff} Example: |
(Optional)
Displays the pending TACACS+ configuration. |
|
Step 4 |
(Optional) tacacs+ commit Example: |
(Optional)
Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes TACACS+ configuration to other NX-OS devices if you have enabled CFS configuration distribution for the user role feature. |
|
Step 5 |
exit Example: |
Exits configuration mode. |
|
Step 6 |
(Optional) show tacacs-server Example: |
(Optional)
Displays the TACACS+ server configuration. |
|
Step 7 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can enable ASCII authentication on the TACACS+ server.
Enable TACACS+.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
aaa authentication login ascii-authentication Example: |
Enables ASCII authentication. The default is disabled. |
|
Step 3 |
(Optional) show tacacs+ {pending | pending-diff} Example: |
(Optional)
Displays the pending TACACS+ configuration. |
|
Step 4 |
(Optional) tacacs+ commit Example: |
(Optional)
Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes TACACS+ configuration to the other Cisco NX-OS devices if you have enabled CFS configuration distribution for the user role feature. |
|
Step 5 |
exit Example: |
Exits configuration mode. |
|
Step 6 |
(Optional) show tacacs-server Example: |
(Optional)
Displays the TACACS+ server configuration. |
|
Step 7 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can configure authorization for commands on TACACS+ servers.
 Caution |
Command authorization disables user role-based authorization control (RBAC), including the default roles. |
Note |
|
Enable TACACS+.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
aaa authorization {commands | config-commands} {console | default} Example: |
Configures the command authorization method for specific roles on a TACACS+ server. The commands keyword configures authorization sources for all EXEC commands, and the config-commands keyword configures authorization sources for all configuration commands. The console keyword configures command authorization for a console session, and the default keyword configures command authorization for a non-console session. The group-list argument consists of a space-delimited list of TACACS+ server group names. Servers belonging to this group are contacted for command authorization. The local method uses the local role-based database for authorization. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method. The default method is local . If you have not configured a fallback method after the TACACS+ server group method, authorization fails if all server groups fail to respond. If you press Enter at the confirmation prompt, the default action is n. |
|
Step 3 |
(Optional) show tacacs+ {pending | pending-diff} Example: |
(Optional)
Displays the pending TACACS+ configuration. |
|
Step 4 |
(Optional) tacacs+ commit Example: |
(Optional)
Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes TACACS+ configuration to other Cisco NX-OS devices if you have enabled CFS configuration distribution for the user role feature. |
|
Step 5 |
exit Example: |
Exits global configuration mode. |
|
Step 6 |
(Optional) show aaa authorization [all] Example: |
(Optional)
Displays the AAA authorization configuration. The all keyword displays the default values. |
|
Step 7 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can test the command authorization for a user on the TACACS+ servers.
Note |
You must send correct commands for authorization or else the results may not be reliable. |
Note |
The test command uses the default (non-console) method for authorization, not the console method. |
Enable TACACS+.
Ensure that you have configured command authorization for the TACACS+ servers.
| Command or Action | Purpose | ||
|---|---|---|---|
|
test aaa authorization command-type {commands | config-commands} user username command command-string Example: |
Tests a user's authorization for a command on the TACACS+ servers. The commands keyword specifies only EXEC commands and the config-commands keyword specifies only configuration commands.
|
You can enable and disable command authorization verificaiton on the command-line interface (CLI) for the default user session or for another username.
Note |
The commands do no execute when you enable authorization verification. |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
terminal verify-only [username username] Example: |
Enables command authorization verification. After you enter this command, the Cisco NX-OS software indicates whether the commands you enter are authorized or not. |
|
Step 2 |
terminal no verify-only [username username] Example: |
Disables command authorization verification. |
Only Cisco NX-OS devices that have distribution enabled can participate in the distribution of the TACACS+ configuration changes in the CFS region.
Ensure that CFS distribution is enabled.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
tacacs+ distribute Example: |
Enables TACACS+ configuration distribution. The default is disabled. |
|
Step 3 |
exit Example: |
Exits configuration mode. |
|
Step 4 |
(Optional) show tacacs+ status Example: |
(Optional)
Displays the TACACS+ CFS distribution configuration. |
|
Step 5 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can apply the TACACS+ global and server configuration stored in the temporary buffer to the running configuration across all Cisco NX-OS devices in the fabric (including the originating device).
Enable TACACS+.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
(Optional) show tacacs+ {pending | pending-diff} Example: |
(Optional)
Displays the TACACS+ configuration pending for distribution. |
|
Step 3 |
tacacs+ commit Example: |
Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes the TACACS+ configuration to other Cisco NX-OS devices if you have enabled CFS configuration distribution for the user role feature. |
|
Step 4 |
exit Example: |
Exits configuration mode. |
|
Step 5 |
(Optional) show tacacs+ distribution status Example: |
(Optional)
Displays the TACACS distribution configuration and status. |
|
Step 6 |
(Optional) copy running-config startup-config Example: |
(Optional)
Applies the running configuration to the startup configuration. |
You can discard the temporary database of TACACS+ changes and end the CFS distribution session.
Enable TACACS+.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
(Optional) show tacacs+ {pending | pending-diff} Example: |
(Optional)
Displays the TACACS+ configuration pending for distribution. |
|
Step 3 |
tacacs+ abort Example: |
Discards the TACACS+ configuration in the temporary storage and ends the session. |
|
Step 4 |
exit Example: |
Exits configuration mode. |
|
Step 5 |
(Optional) show tacacs+ distribution status Example: |
(Optional)
Displays the TACACS distribution configuration and status. |
You can clear an active CFS distribution session and unlock TACACS+ configuration in the network.
Enable TACACS+.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
clear tacacs+ session Example: |
Clears the CFS session for TACACS+ and unlocks the fabric. |
|
Step 2 |
(Optional) show tacacs+ distribution status Example: |
(Optional)
Displays the TACACS distribution configuration and status. |
You can manually issue a test message to a TACACS+ server or to a server group.
Enable TACACS+.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
test aaa server tacacs+ {ipv4-address | ipv6-address | host-name} [vrf vrf-name] username password Example: |
Sends a test message to a TACACS+ server to confirm availability. |
|
Step 2 |
test aaa group group-name username password Example: |
Sends a test message to a TACACS+ server group to confirm availability. |
You can disable TACACS+.
Caution |
When you disable TACACS+, all related configurations are automatically discarded. |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
no feature tacacs+ Example: |
Disables TACACS+. |
|
Step 3 |
exit Example: |
Exits configuration mode. |
|
Step 4 |
(Optional) copy running-config startup-config Example: |
(Optional)
Copies the running configuration to the startup configuration. |
You can monitor the statistics that the Cisco NX-OS device maintains for TACACS+ server activity.
Configure TACACS+ servers on the Cisco NX-OS device.
| Command or Action | Purpose |
|---|---|
|
show tacacs-server statistics {hostname | ipv4-address | ipv6-address} Example: |
Displays the TACACS+ statistics. |
You can display the statistics that the Cisco NX-OS device maintains for TACACS+ server activity.
Configure TACACS+ servers on the Cisco NX-OS device.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
(Optional) show tacacs-server statistics {hostname | ipv4-address | ipv6-address} Example: |
(Optional)
Displays the TACACS+ server statistics on the Cisco NX-OS device. |
|
Step 2 |
clear tacacs-server statistics {hostname | ipv4-address | ipv6-address} Example: |
Clears the TACACS+ server statistics. |
To display the TACACS+ configuration, perform one of the following tasks:
|
Command |
Purpose |
|---|---|
|
show tacacs+ { status | pending | pending-diff} |
Displays the TACACS+ Cisco Fabric Services distribution status and other details. |
|
show running-config tacacs+ [all] |
Displays the TACACS+ configuration in the running configuration. |
|
show startup-config tacacs |
Displays the TACACS+ configuration in the startup configuration. |
|
show tacacs-server [host-name | ipv4-address | ipv6-address] [directed-request | groups | sorted | statistics] |
Displays all configured TACACS+ server parameters. |
For detailed information about the fields in the output from this command, see the Cisco Nexus 7000 Series NX-OS Security Command Reference.
The following example shows how to configure a TACACS+ server host and server group:
feature tacacs+
tacacs-server key 7 "ToIkLhPpG"
tacacs-server host 10.10.2.2 key 7 "ShMoMhTl"
aaa group server tacacs+ TacServer
server 10.10.2.2
The following example shows how to configure and use command authorization verification:
switch# terminal verify-only
switch# show interface ethernet 7/2 brief
%Success
switch# terminal no verify-only
switch# show interface ethernet 7/2 brief
--------------------------------------------------------------------------------
Ethernet VLAN Type Mode Status Reason Speed Port
Interface Ch #
--------------------------------------------------------------------------------
Eth7/2 1 eth access down SFP not inserted auto(D) --
You can now configure AAA authentication methods to include the server groups.
This section includes additional information related to implementing TACACS+.
| Related Topic |
Document Title |
|---|---|
|
Cisco NX-OS licensing |
Cisco NX-OS Licensing Guide |
|
Command reference |
Cisco Nexus 7000 Series NX-OS Security Command Reference |
|
VRF configuration |
Cisco Nexus 7000 Series NX-OS Unicast Routing Configuration Guide |
|
Standards |
Title |
|---|---|
|
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature. |
— |
CISCO-AAA-SERVER-MIB
CISCO-AAA-SERVER-EXT-MIB
This table lists the release history for this feature.
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
TACACS+ |
6.2(2) |
Added support for a single TACACS+ connection. |
|
TACACS+ |
6.0(1) |
Added the ability to configure command authorization for a console session. |
Feedback