Configure TACACS+ Access on Nexus 7K

The Request:

Two new Nexus 7Ks have been installed at one of my client’s data centers. Management connectivity was brought up to the data center core and verified. I was given console access and told to configure TACACS+1 authentication and authorization on the F2 VDC2.

The Solution:

Configuring TACACS+ on the Nexus 7K is totally different than on IOS and even different than on the Nexus 5K equipment. It also requires a certain order of operations and there is one solid “gotcha” that most people run into. But, knowing these going in will make this a painless procedure. The first thing to remember is that you MUST enter the TACACS+ server key UNENCRYPTED. Most templates within many organizations I work with keep the TACACS+ key in its encrypted format within template documents. Entering it into a Nexus 7K in this format WILL NOT WORK. Been there…done that… First you will need to make sure the TACACS+ feature in enabled on the NEXUS 7K by entering the following command:

config
feature tacacs+

Now you will need to decide how to configure your TACACS+ server keys. You can either configure a global key for all servers or on a per-server basis: Global Key:

tacacs-server key 0 TESTKEY

Per-Server Key:

tacacs-server host X.X.X.X key 0 TESTKEY

Now you will need to list all of your TACACS+ hosts. Previously I showed you how to enter a host with a per-server key. If you use a global key you will use this command:

tacacs-server host X.X.X.X

Now we need to configure a TACACS+ group to use for authentication, authorization, accounting, etc. Here is an example:

aaa group server tacacs+ TESTNAME
    server X.X.X.X
    server X.X.X.X
    server X.X.X.X
    use-vrf VRFNAME

The servers you enter into the group must first be defined as tacacs-server hosts as shown in the previous configuration . If you know this fact going in it is a huge time saver! It is also recommended that you configure the VRF that you would like to use for TACACS+ access. If you have no VRFs configured just use the following code to use the default VRF:

use-vrf default

Now you want to tell the Nexus 7K where to source the request from. For example if you were to use VLAN 2 for the TACACS+ source interface you would use the following code:

ip tacacs source-interface vlan 2

Some organizations also like to use directed requests to allow certain groups point their logins toward certain authentication servers outside of the standard group configuration. The command that allows this to happen is:

tacacs-server directed-request

After all of this has been configured you are ready to add your authentication strings and test. I always recommend ensuring authentication works before configuring anything further, especially authorization as it can definitely slow down the process. The aaa string you need to enter is as follows:

aaa authentication login default group TESTNAME

Now you can test using the following command:

test aaa group TESTNAME username password

This will allow you to verify TACACS+ is working properly. Once this is confirmed you can move on to the authorization and accounting configuration:

aaa authentication login console group TESTNAME
aaa authorization commands default group TESTNAME
aaa accounting default group TESTNAME
aaa authentication login error-enable

I have included the full config below. If commands are entered in this order you will be good to go!

config
feature tacacs+
tacacs-server key 0 TESTKEY
tacacs-server host X.X.X.X
tacacs-server host X.X.X.X
tacacs-server host X.X.X.X
aaa group server tacacs+ TESTNAME
    server X.X.X.X
    server X.X.X.X
    server X.X.X.X
    use-vrf VRFNAME
ip tacacs source-interface vlan 2
tacacs-server directed-request
aaa authentication login default group TESTNAME
aaa authentication login console group TESTNAME
aaa authorization commands default group TESTNAME
aaa accounting default group TESTNAME
aaa authentication login error-enable

Conclusion:

I had a selfish motive for writing this post…I was tired of join through it over and over again. If the order of operations is followed properly, and the gotchas are avoided, this can be a fun and painless procedure. I hope this helps everyone and if you have any questions or improvements just let me know!

THANKS!

I would like to say a quick thank you to the following references while I was working through this:


  1. Terminal Access Controller Access-Control System Plus [return]
  2. Virtual Device Context [return]

Comments

Ahmed
Monday, Dec 1, 2014

Thank You sir! Thank you so much! iam sitting at a DATACENTER right now and your blog helped me on the FLY!! May God bless you :)

Kevin
Wednesday, Jan 27, 2016

Best guide I’ve found yet for TACACS on the N7K’s. Thanks!

Milan
Tuesday, Feb 23, 2016

Perfect, you saved my time :)

styler
Thursday, Sep 8, 2016

It was really great and helpful doc… Great writeup…

If it is possible could you please let me know “How to setup local credential as backup procedure in case of TACACS failure”.

Verlo
Friday, Oct 28, 2016

This document just saved my Friday, I’m leaving early today.

Commands order worked flawlessly.

Dan
Friday, Oct 28, 2016

Glad they worked for you! Have a great weekend!

Say something

Send me an email when someone comments on this post.

Thank you

Your post has been submitted and will be published once it has been approved.

Click here to see the pull request you generated.

OK

OOPS!

Your post has not been submitted. Please return to the page and try again. Thank You!

OK