Cisco NX-OS TACACS+ Setup Guide

Quick post here, nothing much to it. This will be a straight forward guide to NX-OS TACACS+ Setup. TACACS+ was developed by Cisco as an extension to TACACS that fully encrypts each packet. This presents certain levels of security over RADIUS authentication for that reason. Using TACACS+ will allow you to use a TACACS+ enabled server such as ACS or ISE for device management authentication. I will go through the config step by step and explain each part.

NX-OS TACACS+ Setup Guide

First you need to set the source interface that the device will communicate over. In this case, this switch is using its management IP on vlan 1. This is important as you have to set the IP the device will be using on the ACS,ISE,etc server

ip tacacs source-interface vlan 1

Next you have to setup your TACACS+ server group which contains the IP addresses of your TACACS+ servers. Then, you need to specify the authentication key for each server.

aaa group server tacacs+ AUTH_SERVERS 
    server 10.0.0.5
    server 10.0.0.6 
    use-vrf default
tacacs-server host 10.0.0.5 key 0 AUTH-KEY-HERE timeout 5 
tacacs-server host 10.0.0.6 key 0 AUTH-KEY-HERE timeout 5

Lastly, you have to configure the actual AAA commands that let the device know to look to the TACACS+ server group for authentication instead of the local user database for instance. Since TACACS+ breaks the authentication process down into 3 sections (authentication, authorization, and accounting) you will see commands for each. Also, the option “local” in each command below, makes it so that the local user database is used in the event the TACACS+ servers are not reachable.

aaa authentication login default group AUTH_SERVERS 
aaa authentication login console fallback error local
aaa authorization config-commands default group AUTH_SERVERS local 
aaa authorization commands default group AUTH_SERVERS local 
aaa accounting default group AUTH_SERVERS local

Lastly, the following message enables login failure messages. By default, this is disabled. Something to keep in mind.

aaa authentication login error-enable

That’s all there is to it. With that guide NX-OS TACACS+ setup really isn’t difficult. Keep this guide in mind and perhaps create a template for future device setups.

Facebooktwittergoogle_plusredditpinterestlinkedintumblrmail
Kevin Blackburn

Kevin Blackburn

Cisco CCNP, Senior Network Engineer in the Healthcare Industry. Currently working on my CCIE R&S which is the focus of most of my latest blog posts. #NFD15 Delegate.

2 thoughts on “Cisco NX-OS TACACS+ Setup Guide

  • July 10, 2017 at 5:38 pm
    Permalink

    It is a great article.
    Can you made TACACS+ architecture communication? And if TACACS+ server run device which has private IP device, this device can manage a client TACACS+ which run on device which has public IP?

    Reply
    • Kevin
      July 12, 2017 at 4:56 pm
      Permalink

      Everything that I’ve tested with this configuration has been mostly on an internal, private IP basis so far. I assume it would work as long as long as firewalls allowed the traffic. I have run this over Lan2Lan vpn tunnels with no issues as well.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *