Configure TACACS+ Access on Nexus 7K

The Request:

Two new Nexus 7Ks have been installed at one of my client’s data centers. Management connectivity was brought up to the data center core and verified. I was given console access and told to configure TACACS+¹ authentication and authorization on the F2 VDC².

The Solution:

Configuring TACACS+ on the Nexus 7K is totally different than on IOS and even different than on the Nexus 5K equipment. It also requires a certain order of operations and there is one solid “gotcha” that most people run into. But, knowing these going in will make this a painless procedure. The first thing to remember is that you MUST enter the TACACS+ server key UNENCRYPTED. Most templates within many organizations I work with keep the TACACS+ key in its encrypted format within template documents. Entering it into a Nexus 7K in this format WILL NOT WORK. Been there…done that… First you will need to make sure the TACACS+ feature in enabled on the NEXUS 7K by entering the following command:

config
feature tacacs+

Now you will need to decide how to configure your TACACS+ server keys. You can either configure a global key for all servers or on a per-server basis: Global Key:

tacacs-server key 0 TESTKEY

Per-Server Key:

tacacs-server host X.X.X.X key 0 TESTKEY

Now you will need to list all of your TACACS+ hosts. Previously I showed you how to enter a host with a per-server key. If you use a global key you will use this command:

tacacs-server host X.X.X.X

Now we need to configure a TACACS+ group to use for authentication, authorization, accounting, etc. Here is an example:

aaa group server tacacs+ TESTNAME
    server X.X.X.X
    server X.X.X.X
    server X.X.X.X
    use-vrf VRFNAME

The servers you enter into the group must first be defined as tacacs-server hosts as shown in the previous configuration . If you know this fact going in it is a huge time saver! It is also recommended that you configure the VRF that you would like to use for TACACS+ access. If you have no VRFs configured just use the following code to use the default VRF:

use-vrf default

Now you want to tell the Nexus 7K where to source the request from. For example if you were to use VLAN 2 for the TACACS+ source interface you would use the following code:

ip tacacs source-interface vlan 2

Some organizations also like to use directed requests to allow certain groups point their logins toward certain authentication servers outside of the standard group configuration. The command that allows this to happen is:

tacacs-server directed-request

After all of this has been configured you are ready to add your authentication strings and test. I always recommend ensuring authentication works before configuring anything further, especially authorization as it can definitely slow down the process. The aaa string you need to enter is as follows:

aaa authentication login default group TESTNAME

Now you can test using the following command:

test aaa group TESTNAME username password

This will allow you to verify TACACS+ is working properly. Once this is confirmed you can move on to the authorization and accounting configuration:

aaa authentication login console group TESTNAME
aaa authorization commands default group TESTNAME
aaa accounting default group TESTNAME
aaa authentication login error-enable

I have included the full config below. If commands are entered in this order you will be good to go!

config
feature tacacs+
tacacs-server key 0 TESTKEY
tacacs-server host X.X.X.X
tacacs-server host X.X.X.X
tacacs-server host X.X.X.X
aaa group server tacacs+ TESTNAME
    server X.X.X.X
    server X.X.X.X
    server X.X.X.X
    use-vrf VRFNAME
ip tacacs source-interface vlan 2
tacacs-server directed-request
aaa authentication login default group TESTNAME
aaa authentication login console group TESTNAME
aaa authorization commands default group TESTNAME
aaa accounting default group TESTNAME
aaa authentication login error-enable

Conclusion:

I had a selfish motive for writing this post…I was tired of join through it over and over again. If the order of operations is followed properly, and the gotchas are avoided, this can be a fun and painless procedure. I hope this helps everyone and if you have any questions or improvements just let me know!

THANKS!

I would like to say a quick thank you to the following references while I was working through this:

Josh O’Brien (@joshobrien77) over at staticnat.com! You post on Nexus 7000 TACACS+ helped a TON. You can read it here.
Cisco Nexus 7K Security Design Guide
Cisco Nexus 7K TACACS+ Example

Terminal Access Controller Access-Control System Plus ↩︎
Virtual Device Context ↩︎

13 comments

Ahmed
Monday, Dec 1, 2014

Thank You sir! Thank you so much! iam sitting at a DATACENTER right now and your blog helped me on the FLY!! May God bless you :)

Reply to Ahmed

Kevin
Wednesday, Jan 27, 2016

Best guide I’ve found yet for TACACS on the N7K’s. Thanks!

Reply to Kevin

Milan
Tuesday, Feb 23, 2016

Perfect, you saved my time :)

Reply to Milan

styler
Thursday, Sep 8, 2016

It was really great and helpful doc… Great writeup…

If it is possible could you please let me know “How to setup local credential as backup procedure in case of TACACS failure”.

Reply to styler

Verlo
Friday, Oct 28, 2016

This document just saved my Friday, I’m leaving early today.

Commands order worked flawlessly.

Reply to Verlo

Dan
In reply to Verlo
Friday, Oct 28, 2016

Glad they worked for you! Have a great weekend!

Reply to Thread

Bob Justa
Monday, Jan 27, 2020

Spot on, thanks so much for simplifying this! You saved me a lot of time.

Reply to Bob Justa

Test
Sunday, May 3, 2020

Test

Reply to Test

Dave Mumford
Thursday, May 14, 2020

I have read this post , but was wondering if you have tried this with access via mgmt0 (admin vdc).

Currently we have local username and password for access to all vdcs, this works fine. Admin vdc via mgmt0 is OOB via internet connection, other vdcs accessed internally using local user/pass.

When i configure TACACS+ on one of the VDC’s (not ADMIN) , TACACS works on this vdc but breaks access on ADMIN VDC (ie. local user/pass stops working), I think this is because ADMIN vdc must recognise the fact that TACACS+ is configured on the other VDC and cant route to the TACACs server (located on internal network).

Reply to Dave Mumford

Dan
In reply to Dave Mumford
Thursday, May 14, 2020

Dave,

I do know that we used TACACS via mgmt0, but I do not recall all of the details. I have not touched a 7K in almost 5 years now. We never tested a mixed use type case as we used TACACS across the board.

Sorry I was not of more assistance!

Dan

STENGE.info
Wednesday, Nov 11, 2020

Thanks for sharing your knowledge. I have an IT blog as well… https://www.stenge.info Be safe!

Reply to STENGE.info

Gopinath
Friday, Feb 5, 2021

For some reason my Nexus switch allowing both local account even my tacacs+ is active. Normally local user will allow only when tacacs+ is inactive right?

Reply to Gopinath

Abdul
Wednesday, Nov 17, 2021

Thanks for Sharing

Reply to Abdul

Say something

Thank you

Your post has been submitted and will be published once it has been approved.

The Request:#

The Solution:#

Conclusion:#

THANKS!#