Tacacs+ Operation For User Login - Cisco Nexus 9000 Series Configuration Manual
Nx-os security configuration guide, release 9.x
Hide thumbs
Also See for Nexus 9000 Series:
- Configuration manual (276 pages) ,
- Troubleshooting manual (126 pages) ,
- Quick start configuration manual (6 pages)
Table of Contents
Advertisement
TACACS+ Operation for User Login
• Provides independent AAA facilities. For example, the Cisco NX-OS device can authorize access without
• Uses the TCP transport protocol to send data between the AAA client and server, making reliable transfers
• Encrypts the entire protocol payload between the switch and the AAA server to ensure higher data
TACACS+ Operation for User Login
When a user attempts a Password Authentication Protocol (PAP) login to a Cisco NX-OS device using
TACACS+, the following actions occur:
Note
TACACS+ allows an arbitrary conversation between the daemon and the user until the daemon receives
enough information to authenticate the user. This action is usually done by prompting for a username and
password combination, but may include prompts for other items, such as your mother's maiden name.
1. When the Cisco NX-OS device establishes a connection, it contacts the TACACS+ daemon to obtain the
username and password.
2. The Cisco NX-OS device will eventually receive one of the following responses from the TACACS+
daemon:
ACCEPT
User authentication succeeds and service begins. If the Cisco NX-OS device requires user authorization,
authorization begins.
REJECT
User authentication failed. The TACACS+ daemon either denies further access to the user or prompts the
user to retry the login sequence.
ERROR
An error occurred at some time during authentication either at the daemon or in the network connection
between the daemon and the Cisco NX-OS device. If the Cisco NX-OS device receives an ERROR
response, the Cisco NX-OS device tries to use an alternative method for authenticating the user.
After authentication, the user also undergoes an additional authorization phase if authorization has been
enabled on the Cisco NX-OS device. Users must first successfully complete TACACS+ authentication
before proceeding to TACACS+ authorization.
3. If TACACS+ authorization is required, the Cisco NX-OS device again contacts the TACACS+ daemon
and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes
that are used to direct the EXEC or NETWORK session for that user and determines the services that the
user can access.
Services include the following:
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
68
authenticating.
with a connection-oriented protocol.
confidentiality. The RADIUS protocol only encrypts passwords.
• Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services
• Connection parameters, including the host or client IP address (IPv4 or IPv6), access list, and user
timeouts
Configuring TACACS+
- Quick Links:
- Radius and Tacacs+ Security Protocols
Hide quick links:
Advertisement
Table of Contents
