User Login With Tacacs; Default Tacacs+ Server Encryption Type And Preshared Key - Cisco AP775A - Nexus Converged Network Switch 5010 Configuration Manual
Cli software configuration guide
Hide thumbs
Also See for AP775A - Nexus Converged Network Switch 5010:
- Configuration manual (1486 pages) ,
- Reference (886 pages) ,
- Command reference manual (792 pages)
Table of Contents
Advertisement
User Login with TACACS+
User Login with TACACS+
When a user attempts a Password Authentication Protocol (PAP) login to a Cisco Nexus 5000 Series switch
using TACACS+, the following actions occur:
1 When the Cisco Nexus 5000 Series switch establishes a connection, it contacts the TACACS+ daemon to
obtain the username and password.
TACACS+ allows an arbitrary conversation between the daemon and the user until the daemon receives
Note
enough information to authenticate the user. This action is usually done by prompting for a username and
password combination, but may include prompts for other items, such as the user's mother's maiden name.
2 The Cisco Nexus 5000 Series switch will receive one of the following responses from the TACACS+
daemon:
The user also undergoes an additional authorization phase, if authorization has been enabled on the Cisco
Nexus 5000 Series switch. Users must first successfully complete TACACS+ authentication before
proceeding to TACACS+ authorization.
3 If TACACS+ authorization is required, the Cisco Nexus 5000 Series switch again contacts the TACACS+
daemon and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains
attributes that are used to direct the EXEC or NETWORK session for that user and determines the services
that the user can access.
Services include the following:
•
Default TACACS+ Server Encryption Type and Preshared Key
You must configure the TACACS+ preshared key to authenticate the switch to the TACACS+ server. A
preshared key is a secret text string shared between the Cisco Nexus 5000 Series switch and the TACACS+
server host. The length of the key is restricted to 63 characters and can include any printable ASCII characters
(white spaces are not allowed). You can configure a global preshared secret key for all TACACS+ server
configurations on the Cisco Nexus 5000 Series switch to use.
You can override the global preshared key assignment by explicitly using the key option when configuring
an individual TACACS+ server.
Cisco Nexus 5000 Series Switch CLI Software Configuration Guide
256
• ACCEPT—User authentication succeeds and service begins. If the Cisco Nexus 5000 Series switch
requires user authorization, authorization begins.
• REJECT—User authentication failed. The TACACS+ daemon either denies further access to the
user or prompts the user to retry the login sequence.
• ERROR—An error occurred at some time during authentication dither at the daemon or in the network
connection between the daemon and the Cisco Nexus 5000 Series switch. If the Cisco Nexus 5000
Series switch receives an ERROR response, the switch tries to use an alternative method for
authenticating the user.
◦
Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services
◦ Connection parameters, including the host or client IP address (IPv4 or IPv6), access list, and user
timeouts
About Configuring TACACS+
OL-16597-01
Advertisement
Chapters
Table of Contents
Troubleshooting
