12-13-2011 10:19 AM
I am working for an Air Force client and am adding a handful of 5548s into their network. My question is how Tacacs+ is configured. My hands are tied in regards to testing in an operational environment so I want to ensure the configs are correct prior to deployment/maintenance window and avoid any remote issues.
I have read the "Cisco Press - TACACS+" config guide and it was somewhat vague in regards to operational deployment.
My basic NX-OS configs are as follows:
- feature tacacs+
- tacacs-server key 7 "002A52xxxxxxxxxxxxxxxx8"
- tacacs-server host 128.xx.xx.xx timeout 10
- tacacs-server host 128.xx.xx.xx timeout 10
- tacacs-server directed-request
When I try to set the following command string, aaa authentication login default group tacacs+ local, the NX-OS asks me the input a "server group name". There are no server groups configured. Do I need them? Can I get by without configuring a group name because the client probably will not. The Cisco IOS devices are configured with normal aaa authentication/authorization parameters.
Also, do the VTY ports default to sshv2 and the correct tacacs+ parameters with the "transport input ssh" command (not available)?
Any help would be greatly aprreciated.
Bryan
Solved! Go to Solution.
12-16-2011 09:19 PM
Bryan,
Try these commands:
feature tacacs+
ip tacacs source-interface mgmt0
tacacs-server host
tacacs-server host
aaa group server tacacs+ AAA-Servers
server
server
aaa authentication login default group AAA-Servers
aaa authorization config-commands default group AAA-Servers
aaa authorization commands default group AAA-Servers
aaa accounting default group AAA-Servers
As for your other question, yes, I believe the VTY's default to SSH.
HTH!
-Chris
12-16-2011 09:19 PM
Bryan,
Try these commands:
feature tacacs+
ip tacacs source-interface mgmt0
tacacs-server host
tacacs-server host
aaa group server tacacs+ AAA-Servers
server
server
aaa authentication login default group AAA-Servers
aaa authorization config-commands default group AAA-Servers
aaa authorization commands default group AAA-Servers
aaa accounting default group AAA-Servers
As for your other question, yes, I believe the VTY's default to SSH.
HTH!
-Chris
12-19-2011 09:48 AM
Thanks Chris! I know is was a basic question but just wanted some reinforcement.
Much appreciated!
Bryan
09-05-2012 01:18 PM
Bryan;
Have you experienced any aaa command authorization issues on the Nexus 5596s. We can authenticate to the TACACS server using TACACS+, but for some reason we cannot autocomplete commands, or even have any admin rights on the box. I know that there is no problem on the TACACS server because the 7Ks work fine using the same TACACS server group profile. IOS devices also work with the same profile.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide