Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4797
Views
0
Helpful
3
Replies

Cisco Nexus 5548 Tacacs+ configuration question -

Go to solution
BryanPMiller
Level 1
Level 1

‎12-13-2011 10:19 AM

I am working for an Air Force client and am adding a handful of 5548s into their network.  My question is how Tacacs+ is configured.  My hands are tied in regards to testing in an operational environment so I want to ensure the configs are correct prior to deployment/maintenance window and avoid any remote issues.

I have read the "Cisco Press - TACACS+" config guide and it was somewhat vague in regards to operational deployment.


My basic NX-OS configs are as follows:

- feature tacacs+
- tacacs-server key 7 "002A52xxxxxxxxxxxxxxxx8"
- tacacs-server host 128.xx.xx.xx timeout 10
- tacacs-server host 128.xx.xx.xx timeout 10
- tacacs-server directed-request

When I try to set the following command string, aaa authentication login default group tacacs+ local, the NX-OS asks me the input a "server group name".  There are no server groups configured.  Do I need them? Can I get by without configuring a group name because the client probably will not. The Cisco IOS devices are configured with normal aaa authentication/authorization parameters.

Also, do the VTY ports default to sshv2 and the correct tacacs+ parameters with the "transport input ssh" command (not available)?

Any help would be greatly aprreciated.

Bryan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cflory
Level 1
Level 1

‎12-16-2011 09:19 PM

Bryan,

Try these commands:

feature tacacs+

ip tacacs source-interface mgmt0

tacacs-server host key

tacacs-server host key

aaa group server tacacs+ AAA-Servers

    server

    server

aaa authentication login default group AAA-Servers

aaa authorization config-commands default group AAA-Servers

aaa authorization commands default group AAA-Servers

aaa accounting default group AAA-Servers

As for your other question, yes, I believe the VTY's default to SSH.

HTH!

-Chris

View solution in original post

0 Helpful
3 Replies 3

Go to solution
cflory
Level 1
Level 1

‎12-16-2011 09:19 PM

Bryan,

Try these commands:

feature tacacs+

ip tacacs source-interface mgmt0

tacacs-server host key

tacacs-server host key

aaa group server tacacs+ AAA-Servers

    server

    server

aaa authentication login default group AAA-Servers

aaa authorization config-commands default group AAA-Servers

aaa authorization commands default group AAA-Servers

aaa accounting default group AAA-Servers

As for your other question, yes, I believe the VTY's default to SSH.

HTH!

-Chris

0 Helpful

Go to solution
BryanPMiller
Level 1
Level 1
In response to cflory

‎12-19-2011 09:48 AM

Thanks Chris!  I know is was a basic question but just wanted some reinforcement. 

Much appreciated!

Bryan

0 Helpful

Go to solution
kesva.naidoo
Level 1
Level 1
In response to cflory

‎09-05-2012 01:18 PM

Bryan;

Have you experienced any aaa command authorization issues on the Nexus 5596s. We can authenticate to the TACACS server using TACACS+, but for some reason we cannot autocomplete commands, or even have any admin rights on the box. I know that there is no problem on the TACACS server because the 7Ks work fine using the same TACACS server group profile. IOS devices also work with the same profile.

0 Helpful
Customers Also Viewed These Support Documents