Cisco NX-OS TACACS+ Setup Guide


Quick post here, nothing much to it. This will be a straight forward guide to NX-OS TACACS+ Setup. TACACS+ was developed by Cisco as an extension to TACACS that fully encrypts each packet. This presents certain levels of security over RADIUS authentication for that reason. Using TACACS+ will allow you to use a TACACS+ enabled server such as ACS or ISE for device management authentication. I will go through the config step by step and explain each part.

NX-OS TACACS+ Setup Guide

First you need to set the source interface that the device will communicate over. In this case, this switch is using its management IP on vlan 1. This is important as you have to set the IP the device will be using on the ACS,ISE,etc server

ip tacacs source-interface vlan 1

Next you have to setup your TACACS+ server group which contains the IP addresses of your TACACS+ servers. Then, you need to specify the authentication key for each server.

aaa group server tacacs+ AUTH_SERVERS 
    use-vrf default
tacacs-server host key 0 AUTH-KEY-HERE timeout 5 
tacacs-server host key 0 AUTH-KEY-HERE timeout 5

Lastly, you have to configure the actual AAA commands that let the device know to look to the TACACS+ server group for authentication instead of the local user database for instance. Since TACACS+ breaks the authentication process down into 3 sections (authentication, authorization, and accounting) you will see commands for each. Also, the option “local” in each command below, makes it so that the local user database is used in the event the TACACS+ servers are not reachable.

aaa authentication login default group AUTH_SERVERS 
aaa authentication login console fallback error local
aaa authorization config-commands default group AUTH_SERVERS local 
aaa authorization commands default group AUTH_SERVERS local 
aaa accounting default group AUTH_SERVERS local

Lastly, the following message enables login failure messages. By default, this is disabled. Something to keep in mind.

aaa authentication login error-enable

That’s all there is to it. With that guide NX-OS TACACS+ setup really isn’t difficult. Keep this guide in mind and perhaps create a template for future device setups.


  1. It is a great article.
    Can you made TACACS+ architecture communication? And if TACACS+ server run device which has private IP device, this device can manage a client TACACS+ which run on device which has public IP?

    • Everything that I’ve tested with this configuration has been mostly on an internal, private IP basis so far. I assume it would work as long as long as firewalls allowed the traffic. I have run this over Lan2Lan vpn tunnels with no issues as well.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.