Solved: Smart Card Authentication PKI - NX-OS Device TACACS+ On ISE 2.7

Roger3 · ‎01-06-2022

Is there a definitive guide for configuring smart card authentication on NX-OS devices that use TACACS+ on ISE?

I found this white paper for IOS-XE but NX-OS is significantly different.

Arne Bier · ‎01-19-2022

The tacacs+ config for NXOS is pretty straightforward and easily done. The harder part was the ssh/crypto stuff. Once NXOS has extracted the username from the cert, the “aaa authentication…” and “aaa authorisation…” commands are needed to perform the aaa tasks to the tacacs+ servers.

The Prescriptive Guide is very good -there is a section specific to Nexus.

(https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365)

View solution in original post

Arne Bier · ‎01-11-2022

Hello

It's a great question.

Have you tried this method?

Roger3 · ‎01-18-2022

Hello Arne,

I found that before I posted this. I don't want to have to configure local users on every switch. Is there a way to configure this with TACACS+?

Roger

Arne Bier · ‎01-19-2022

The tacacs+ config for NXOS is pretty straightforward and easily done. The harder part was the ssh/crypto stuff. Once NXOS has extracted the username from the cert, the “aaa authentication…” and “aaa authorisation…” commands are needed to perform the aaa tasks to the tacacs+ servers.

The Prescriptive Guide is very good -there is a section specific to Nexus.

(https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365)