why is there a TACACS test user configured by default?

Przemyslaw Bakowski · ‎08-28-2013

Hi

We have a number of different Nexus platforms on different code levels and they all have the following bonus configuration, which only displays when you perform a "show run all" rather than just a "show run," suggesting it's a default, except the host addresses match the configured TACACS server addresses. I've also seen these lines in configuration snippets that others have posted online.

tacacs-server test username test password test idle-time 0

tacacs-server host a.b.c.d test username test password test idle-time 0

tacacs-server host a.b.c.e test username test password test idle-time 0

radius-server test username test password test idle-time 0

So, what are these, why are they in by default and can we remove them?

P7 · ‎12-11-2018

From what I found these are for test packets. TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+ server. Search on the word "test" in this PDF.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/security/421_n1_1/b_Cisco_n5k_security_config_gd_rel_421_n1_1/Cisco_n5k_security_config_gd_rel_421_n1_1_chapter5.pdf

https://www.cisco.com/c/m/en_us/techdoc/dc/reference/cli/n5k/commands/tacacs-server-host.html

I have also noticed that the line is removed when removing the tacacs server using "no tacacs-server host <IP Address>" and shows up automatically when entering a new server with the "tacacs-server host <OP Address> command.

P7 · ‎12-11-2018

Sorry, that should say "tacacs-server host <IP Address>" at the bottom of my reply.