Configuring TACACS+
Default TACACS+ Server Encryption Type and Secret Key
You must configure the TACACS+ secret key to authenticate the switch to the TACACS+ server. A secret
key is a secret text string shared between the Cisco NX-OS device and the TACACS+ server host. The length
of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not
allowed). You can configure a global secret key for all TACACS+ server configurations on the Cisco NX-OS
device to use.
You can override the global secret key assignment by explicitly using the key option when configuring an
individual TACACS+ server.
Command Authorization Support for TACACS+ Servers
By default, command authorization is done against a local database in the Cisco NX-OS software when an
authenticated user enters a command at the command-line interface (CLI). You can also verify authorized
commands for authenticated users using TACACS+.
TACACS+ Server Monitoring
An unresponsive TACACS+ server can delay the processing of AAA requests. A Cisco NX-OS device can
periodically monitor a TACACS+ server to check whether it is responding (or alive) to save time in processing
AAA requests. The Cisco NX-OS device marks unresponsive TACACS+ servers as dead and does not send
AAA requests to any dead TACACS+ servers. A Cisco NX-OS device periodically monitors dead TACACS+
servers and brings them to the alive state once they are responding. This process verifies that a TACACS+
server is in a working state before real AAA requests are sent its way. Whenever a TACACS+ server changes
to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco
NX-OS device displays an error message that a failure is taking place before it can impact performance.
Figure 3: TACACS+ Server States
This figure shows the server states for TACACS+ server monitoring.
Note
The monitoring interval for alive servers and dead servers are different and can be configured by the user.
The TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+
server.
Default TACACS+ Server Encryption Type and Secret Key
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
69