Nexus Tacacs 5

8/10/2019 Nexus Tacacs 5

http://slidepdf.com/reader/full/nexus-tacacs-5 1/9

Nexus via TACACS

Step 1

Enable TACACS on the Nexus switch using the following command:

Nexus1(cong) tacacs! enable

Step 2

Add the ACS as a TACACS se"ve" on the switch and dene the sha"e sec"et #e$:

Nexus1(cong) tacacs%se"ve" host 1&'1*1+1 #e$ cisco1',

Step 3

C"eate a -evice T$.e unde" Netwo"# /esou"ces to assign the Nexus device late" on:

Step 4

Add the Nexus switch as a AAA client on the ACS and add it to the -evice T$.e we

c"eated ."eviousl$:



Step 5

0a#e su"e the Nexus is able to tal# to the ACS via Tacacs using the following test

command:

Nexus1 test aaa se"ve" tacacs! 1&'1*1+1 f"an cisco

use" has been authenticated

Note: ou can do the same test th"ough the v"f inte"face using the following test

command:

Nexus1 test aaa se"ve" tacacs 1&'1*1+1 v"f management f"an cisco


Step 6

C"eate the desi"e 2dentit$ 3"ou.s on the ACS unde" 4se"s and 2dentit$ Sto"es:



Step 7

C"eate the desi"e use"s on the ACS unde" 4se"s and 2dentit$ Sto"es 5 2nte"nal

2dentit$ Sto"es 5 4se"s:

Step 8

C"eate the "e6ui"ed Shell 7"oles to get access to the Nexus switch based on Nexus

/oles:

8Netwo"#%Admin and 9-C%Admin



8Netwo"#%;.e"ato" and 9-C%;.e"ato"

Note: ou" Shell 7"oles should loo# li#e these:



Step 9

7oint the ACS to get the use"s f"om its inte"nal database:

Step 10

C"eate a cou.le of "ules to assign the "ight Shell 7"oles to the desi"e use"s based

on the "oles ."edened and use the -evice T$.e c"eated ."eviousl$ to ma#e su"e

onl$ the Nexus device will be getting those Nexus /oles:



Step 11

-ene a aaa g"ou. se"ve" to be used fo" authentication and the desi"e v"f:

Nexus1(cong) aaa g"ou. se"ve" tacacs! ACS<

Nexus1(cong%tacacs!) se"ve" 1&'1*1+1

Nexus1(cong%tacacs!) use%v"f management

Step 12

Test the authentication against the ACS using the aaa g"ou. se"ve" congu"ed:

Nexus1 test aaa g"ou. ACS< f"an cisco


Step 13

Add the aaa congu"ation on the Nexus device to fo"ce authentication against the

congu"ed ACS:

Nexus1(cong) aaa authentication login default g"ou. ACS<

Note: ou can use the following command to authenticate console connections as

well:

Nexus1(cong) aaa authentication login console g"ou. ACS<



Step 14

;nce the use" authenticated successfull$ $ou can chec# the "ole assign b$ the ACS

to the use" with the following command:

use":f"an

"oles:netwo"#%admin

account c"eated th"ough /E0;TE authentication

C"edentials such as ssh se"ve" #e$ will be cached tem.o"a"il$ onl$ fo" this use"

account

=ocal login not .ossible

Step 15

;nce $ou a"e com.letel$ su"e that authentication wo"#s >ust ne $ou can feel f"ee

to add command autho"i?ation on the Nexus device using the following commands:

Nexus1(cong) aaa autho"i?ation commands default g"ou. ACS<

Note: ou can use the following command to add command autho"i?ation at the

congu"ation te"minal mode as well:

Nexus1(cong) aaa autho"i?ation cong%commands default g"ou. ACS<

Step 16

At this .oint $ou need to c"eate a cou.le of command sets on the ACS@ the most

common scena"ios a"e:

a) ull%Access@which is able to execute an$ command:



b) /ead%;nl$%Access@ basicall$ this #ind of use"s a"e limited to execute onl$

show commands:



Step 17

Add the c"eate command sets to the desi"e "ules to ma#e su"e the use"s a"e goingto be able to execute onl$ the commands autho"i?ed b$ the list assign to them:

Documents

Nexus Tacacs 5