Tacacs+ Server Monitoring; Prerequisites For Tacacs - Cisco Nexus 5000 Series Configuration Manual

Prerequisites for TACACS+

You can override the global preshared key assignment by explicitly using the key option when configuring
an individual TACACS+ server.

TACACS+ Server Monitoring

An unresponsive TACACS+ server can delay the processing of AAA requests. A Cisco Nexus 5000 Series
switch can periodically monitor an TACACS+ server to check whether it is responding (or alive) to save time
in processing AAA requests. The Cisco Nexus 5000 Series switch marks unresponsive TACACS+ servers as
dead and does not send AAA requests to any dead TACACS+ servers. A Cisco Nexus 5000 Series switch
periodically monitors dead TACACS+ servers and brings them to the alive state once they are responding.
This process verifies that a TACACS+ server is in a working state before real AAA requests are sent its way.
Whenever an TACACS+ server changes to the dead or alive state, a Simple Network Management Protocol
(SNMP) trap is generated and the Cisco Nexus 5000 Series switch displays an error message that a failure is
taking place before it can impact performance.
Figure 3: TACACS+ Server States
The monitoring interval for alive servers and dead servers are different and can be configured by the user.
Note
The TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+
server.
Prerequisites for TACACS+
TACACS+ has the following prerequisites:
• Obtain the IPv4 or IPv6 addresses or host names for the TACACS+ servers.
• Obtain the preshared keys from the TACACS+ servers, if any.
• Ensure that the Cisco Nexus 5000 Series switch is configured as a TACACS+ client of the AAA servers.
OL-20919-01
Cisco Nexus 5000 Series NX-OS Security Configuration Guide
TACACS+ Server Monitoring
43