Configuring TACACS+
This chapter describes how to configure the Terminal Access Controller Access Control System Plus
(TACACS+) protocol on Cisco NX-OS devices.
This chapter includes the following sections:
•
•
•
•
•
•
•
•
•
•
•
•
About TACACS+
The TACACS+ security protocol provides centralized validation of users attempting to gain access to a Cisco
NX-OS device. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically,
on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server
before the configured TACACS+ features on your Cisco NX-OS device are available.
TACACS+ provides for separate authentication, authorization, and accounting facilities. TACACS+ allows
for a single access control server (the TACACS+ daemon) to provide each service—authentication,
authorization, and accounting—independently. Each service can be tied into its own database to take advantage
of other services available on that server or on the network, depending on the capabilities of the daemon.
The TACACS+ client/server protocol uses TCP (TCP port 49) for transport requirements. Cisco NX-OS
devices provide centralized authentication using the TACACS+ protocol.
TACACS+ Advantages
TACACS+ has the following advantages over RADIUS authentication:
About TACACS+, on page 67
Licensing Requirements for TACACS+, on page 71
Prerequisites for TACACS+, on page 71
Guidelines and Limitations for TACACS+, on page 71
Default Settings for TACACS+, on page 72
Configuring TACACS+, on page 72
Monitoring TACACS+ Servers, on page 99
Clearing TACACS+ Server Statistics, on page 99
Verifying the TACACS+ Configuration, on page 100
Configuration Examples for TACACS+, on page 100
Where to Go Next , on page 102
Additional References for TACACS+, on page 102
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
5
C H A P T E R
67