TACACS+ on Nexus 7000

I have been through a couple of these Nexus deployments now that use a combination of 7Ks, 5Ks, and 2Ks. If you know anything about this platform you know that TACACS and AAA only really apply to the 7K and 5Ks. Here is my working template of what it takes to get these guys talking to and ACS server.

tacacs-server key 0 YOUR.ACS.KEY
tacacs-server host X.X.X.X
tacacs-server host X.X.X.X
tacacs-server host X.X.X.X
aaa group server tacacs+ GROUP.NAME
server X.X.X.X
server X.X.X.X
server X.X.X.X
source-interface YOUR.VLAN or YOUR.VRF or YOUR.ETHERNET

aaa authentication login default group GROUP.NAME
aaa authentication login console group GROUP.NAME
aaa authorization commands default group GROUP.NAME
aaa accounting default group GROUP.NAME
aaa authentication login error-enable

At this point there are a few things to take into consideration.  The first is that we do not have to mess around with all the failback authentication crap we had to do in IOS.  If the Nexus devices looses communication or if the ACS rejects communication then the Nexus device falls back on it’s internal user database.  So with that said is is really important that you have an Admin user with Network-Admin status defined in the Nexus switch.

Another key point is that when you are working with the Nexus 5000s, is that they are pure L2 switches today.  So the IP address that you enter into the ACS server for peering is the Management IP address of the Nexus 5000.  Then all you are left to do is make sure you are sourcing it out the right interface, usually VRF-Management.  With the Nexus 7000 though L3 steps in.  If you have IP addresses assigned to the SVI that you are pumping your TACACS+ traffic through then you will have to use the SVI address on the ACS.  If you are using the VRF-Management you will use its address and so on.

Lots more can be said on this topic especially if we get into Role Based Access but this should get you going.  Enjoy and Good luck.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.