Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco Nexus 5548 Tacacs+ configuration question -

I am working for an Air Force client and am adding a handful of 5548s into their network.  My question is how Tacacs+ is configured.  My hands are tied in regards to testing in an operational environment so I want to ensure the configs are correct prior to deployment/maintenance window and avoid any remote issues.

I have read the "Cisco Press - TACACS+" config guide and it was somewhat vague in regards to operational deployment.


My basic NX-OS configs are as follows:

- feature tacacs+
- tacacs-server key 7 "002A52xxxxxxxxxxxxxxxx8"
- tacacs-server host 128.xx.xx.xx timeout 10
- tacacs-server host 128.xx.xx.xx timeout 10
- tacacs-server directed-request

When I try to set the following command string, aaa authentication login default group tacacs+ local, the NX-OS asks me the input a "server group name".  There are no server groups configured.  Do I need them? Can I get by without configuring a group name because the client probably will not. The Cisco IOS devices are configured with normal aaa authentication/authorization parameters.

Also, do the VTY ports default to sshv2 and the correct tacacs+ parameters with the "transport input ssh" command (not available)?

Any help would be greatly aprreciated.

Bryan

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Cisco Nexus 5548 Tacacs+ configuration question -

Bryan,

Try these commands:

feature tacacs+

ip tacacs source-interface mgmt0

tacacs-server host key

tacacs-server host key

aaa group server tacacs+ AAA-Servers

    server

    server

aaa authentication login default group AAA-Servers

aaa authorization config-commands default group AAA-Servers

aaa authorization commands default group AAA-Servers

aaa accounting default group AAA-Servers

As for your other question, yes, I believe the VTY's default to SSH.

HTH!

-Chris

3 REPLIES
Bronze

Cisco Nexus 5548 Tacacs+ configuration question -

Bryan,

Try these commands:

feature tacacs+

ip tacacs source-interface mgmt0

tacacs-server host key

tacacs-server host key

aaa group server tacacs+ AAA-Servers

    server

    server

aaa authentication login default group AAA-Servers

aaa authorization config-commands default group AAA-Servers

aaa authorization commands default group AAA-Servers

aaa accounting default group AAA-Servers

As for your other question, yes, I believe the VTY's default to SSH.

HTH!

-Chris

New Member

Cisco Nexus 5548 Tacacs+ configuration question -

Thanks Chris!  I know is was a basic question but just wanted some reinforcement. 

Much appreciated!

Bryan

New Member

Cisco Nexus 5548 Tacacs+ configuration question -

Bryan;

Have you experienced any aaa command authorization issues on the Nexus 5596s. We can authenticate to the TACACS server using TACACS+, but for some reason we cannot autocomplete commands, or even have any admin rights on the box. I know that there is no problem on the TACACS server because the 7Ks work fine using the same TACACS server group profile. IOS devices also work with the same profile.

3554
Views
0
Helpful
3
Replies
CreatePlease to create content