Cisco Nexus 5000 Series Switch CLI Software Configuration Guide, NX-OS 4.0(1a)N1 (OL-16597-01, January 2009)

ManualsBrandsHP ManualsStorageCisco MDS 9513 with Supervisor 2 Director Switch

261

262

263

264

265

266

267

268

269

270

Send feedback to nx5000-docfeedback@cisco.com

18-3

Cisco Nexus 5000 Series Switch CLI Software Configuration Guide

OL-16597-01

Chapter 18 Configuring TACACS+

Information About TACACS+

• Connection parameters, including the host or client IP address (IPv4 or IPv6), access list, and

user timeouts

Default TACACS+ Server Encryption Type and Preshared Key

You must configure the TACACS+ preshared key to authenticate the switch to the TACACS+ server. A

preshared key is a secret text string shared between the Nexus 5000 Series switch and the TACACS+

server host. The length of the key is restricted to 63 characters and can include any printable ASCII

characters (white spaces are not allowed). You can configure a global preshared secret key for all

TACACS+ server configurations on the Nexus 5000 Series switch to use.

You can override the global preshared key assignment by explicitly using the key option when

configuring an individual TACACS+ server.

TACACS+ Server Monitoring

An unresponsive TACACS+ server can delay the processing of AAA requests. A Nexus 5000 Series

switch can periodically monitor an TACACS+ server to check whether it is responding (or alive) to save

time in processing AAA requests. The Nexus 5000 Series switch marks unresponsive TACACS+ servers

as dead and does not send AAA requests to any dead TACACS+ servers. A Nexus 5000 Series switch

periodically monitors dead TACACS+ servers and brings them to the alive state once they are

responding. This process verifies that a TACACS+ server is in a working state before real AAA requests

are sent its way. Whenever an TACACS+ server changes to the dead or alive state, a Simple Network

Management Protocol (SNMP) trap is generated and the Nexus 5000 Series switch displays an error

message that a failure is taking place before it can impact performance. See Figure 18-1.

Figure 18-1 TACACS+ Server States

Note The monitoring interval for alive servers and dead servers are different and can be configured by the user.

The TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+

server.

response

Test

Idle timer

expired

Directed

AAA request

Dead timer expired

Response from

remote server

AAA packets

sent

Alive

Alive and

used

Dead and

testing

Alive and

testing

Dead

Application

request

Process

application

request

154534