Nexus 5548 TACACS+ config question?

BryanPMiller · ‎12-13-2011

I am working for an Air Force client and am adding a handful of 5548s into their network. My question is how Tacacs+ is configured. My hands are tied in regards to testing in an operational environment so I want to ensure the configs are correct prior to deployment/maintenance window and avoid any remote issues.

I have read the "Cisco Press - TACACS+" config guide and it was somewhat vague in regards to operational deployment.

My basic NX-OS configs are as follows:

- feature tacacs+
- tacacs-server key 7 "002A52xxxxxxxxxxxxxxxx8"
- tacacs-server host 128.xx.xx.xx timeout 10
- tacacs-server host 128.xx.xx.xx timeout 10
- tacacs-server directed-request

When I try to set the following command string, aaa authentication login default group tacacs+ local, the NX-OS asks me the input a "server group name". There are no server groups configured. Do I need them? Can I get by without configuring a group name because the client probably will not. The Cisco IOS devices are configured with normal aaa authentication/authorization parameters.

Also, do the VTY ports default to sshv2 and the correct tacacs+ parameters with the "transport input ssh" command (not available)?

Any help would be greatly aprreciated.

Bryan

vmiller · ‎12-15-2011

there should be a "built in" group for tacacs and radius.

Configuring Default Login Authentication Methods

The authentication methods include the following:

Global pool of RADIUS servers
Named subset of RADIUS or TACACS+ servers
Local database on the Nexus 5000 Series switch
Username only

The default method is local.

Before you configure default login authentication methods, configure RADIUS or TACACS+ server groups as needed. To configure default login authentication methods, perform this task:

SUMMARY STEPS

1. switch# configure terminal

2. switch(config)# aaa authentication login default {group group-list [none] | local | none}

3. switch(config)# exit

4. (Optional) switch# show aaa authentication

5. (Optional) switch# copy running-config startup-config

DETAILED STEPS

Command or Action

Purpose

Step 1

switch# configure terminal

Enters configuration mode.

Step 2

switch(config)# aaa authentication login default {group group-list [none] | local | none}

Configures the default authentication methods.

The group-list argument consists of a space-delimited list of group names. The group names are the following:

radius —Uses the global pool of RADIUS servers for authentication.
named-group —Uses a named subset of TACACS+ or RADIUS servers for authentication.

The local method uses the local database for authentication. The none method uses the username only.

The default login method is local , which is used when no methods are configured or when all of the configured methods do not respond.

Marvin Rhoads · ‎12-15-2011

Build a aaa group and aaa commands like as follows:

feature tacacs+

tacacs-server key 7 "002A52xxxxxxxxxxxxxxxx8

aaa group server tacacs+ AAA-Servers

server [1st server IP]

server [optional - 2nd server IP]

source-interface [svi consistent with your device deifntion in tacacs server]

aaa authentication login default group AAA-Servers local

aaa authorization config-commands default group AAA-Servers none

aaa authorization commands default group AAA-Servers none

aaa accounting default group AAA-Servers

tacacs-server directed-request

That should get you good to go.

For more details, please refer here.

Marvin Rhoads · ‎12-15-2011

Also, your second question is answered here as follows:

Cisco NX-OS Software defaults to SSHv2 with a 1024 bit RSA key. The SSH key can be modified to a DSA/RSA key up to 2048 bits to increase security.