User Login With Tacacs; Default Tacacs+ Server Encryption Type And Preshared Key - Cisco Nexus 3600 NX-OS Security Configuration Manual

User Login with TACACS+

• Encrypts the entire protocol payload between the switch and the AAA server to ensure higher data
User Login with TACACS+
When a user attempts a Password Authentication Protocol (PAP) login to a Cisco Nexus device using
TACACS+, the following actions occur:
1 When the Cisco Nexus device establishes a connection, it contacts the TACACS+ daemon to obtain the
username and password.
Note TACACS+ allows an arbitrary conversation between the daemon and the user until the daemon receives
enough information to authenticate the user. This action is usually done by prompting for a username and
password combination, but may include prompts for other items, such as the user's mother's maiden name.
2 The Cisco Nexus device receives one of the following responses from the TACACS+ daemon:
The user also undergoes an additional authorization phase, if authorization has been enabled on the Cisco
Nexus device. Users must first successfully complete TACACS+ authentication before proceeding to
TACACS+ authorization.
3 If TACACS+ authorization is required, the Cisco Nexus device again contacts the TACACS+ daemon
and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes
that are used to direct the EXEC or NETWORK session for that user and determines the services that the
user can access.
Services include the following:
•

Default TACACS+ Server Encryption Type and Preshared Key

You must configure the TACACS+ that is preshared key to authenticate the switch to the TACACS+ server.
A preshared key is a secret text string shared between the Cisco Nexus device and the TACACS+ server host.
The length of the key is restricted to 63 characters and can include any printable ASCII characters (white
spaces are not allowed). You can configure a global preshared secret key for all TACACS+ server configurations
on the Cisco Nexus device to use.
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
46
confidentiality. The RADIUS protocol only encrypts passwords.
• ACCEPT—User authentication succeeds and service begins. If the Cisco Nexus device requires user
authorization, authorization begins.
• REJECT—User authentication failed. The TACACS+ daemon either denies further access to the
user or prompts the user to retry the login sequence.
• ERROR—An error occurred at some time during authentication dither at the daemon or in the network
connection between the daemon and the Cisco Nexus device. If the Cisco Nexus deviceh receives
an ERROR response, the switch tries to use an alternative method for authenticating the user.
◦ Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services
◦ Connection parameters, including the host or client IP address (IPv4), access list, and user timeouts
Configuring TACACS+