12-13-2011 10:20 AM - edited 03-07-2019 03:52 AM
I am working for an Air Force client and am adding a handful of 5548s into their network. My question is how Tacacs+ is configured. My hands are tied in regards to testing in an operational environment so I want to ensure the configs are correct prior to deployment/maintenance window and avoid any remote issues.
I have read the "Cisco Press - TACACS+" config guide and it was somewhat vague in regards to operational deployment.
My basic NX-OS configs are as follows:
- feature tacacs+
- tacacs-server key 7 "002A52xxxxxxxxxxxxxxxx8"
- tacacs-server host 128.xx.xx.xx timeout 10
- tacacs-server host 128.xx.xx.xx timeout 10
- tacacs-server directed-request
When I try to set the following command string, aaa authentication login default group tacacs+ local, the NX-OS asks me the input a "server group name". There are no server groups configured. Do I need them? Can I get by without configuring a group name because the client probably will not. The Cisco IOS devices are configured with normal aaa authentication/authorization parameters.
Also, do the VTY ports default to sshv2 and the correct tacacs+ parameters with the "transport input ssh" command (not available)?
Any help would be greatly aprreciated.
Bryan
12-15-2011 03:58 PM
there should be a "built in" group for tacacs and radius.
The authentication methods include the following:
Global pool of RADIUS servers
Named subset of RADIUS or TACACS+ servers
Local database on the Nexus 5000 Series switch
Username only
The default method is local.
Before you configure default login authentication methods, configure RADIUS or TACACS+ server groups as needed. To configure default login authentication methods, perform this task:
2. switch(config)# aaa authentication login default {group group-list [none] | local | none}
4. (Optional) switch# show aaa authentication
5. (Optional) switch# copy running-config startup-config
12-15-2011 06:36 PM
Build a aaa group and aaa commands like as follows:
feature tacacs+
tacacs-server key 7 "002A52xxxxxxxxxxxxxxxx8
aaa group server tacacs+ AAA-Servers
server [1st server IP]
server [optional - 2nd server IP]
source-interface [svi consistent with your device deifntion in tacacs server]
aaa authentication login default group AAA-Servers local
aaa authorization config-commands default group AAA-Servers none
aaa authorization commands default group AAA-Servers none
aaa accounting default group AAA-Servers
tacacs-server directed-request
That should get you good to go.
For more details, please refer here.
12-15-2011 06:44 PM
Also, your second question is answered here as follows:
Cisco NX-OS Software defaults to SSHv2 with a 1024 bit RSA key. The SSH key can be modified to a DSA/RSA key up to 2048 bits to increase security.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide