TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network
access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows
NT workstation. You must configure a TACACS+ server before the configured TACACS+ features on your network access server are
available.
On the TACACS+ server, ensure you configure Cisco attribute-value (AV) pair privilege level (priv-lvl) for Cisco Enterprise
NFVIS service for the minimum privilege level of administrators and operators.
For more details on TACACS+ configuration, see the Configuring TACACS module in TACACS+ Configuration Guide, Cisco IOS XE Release 3S.
Note |
In NFVIS 3.11.1 or earlier release, users with no privilege level or users with a privilege level that is less than the operator's
privilege level are considered as auditors with read-only permission.
After NFVIS 3.12.1 release, users with privilege level zero won't be able to login to NFVIS anymore.
|
To configure TACACS+:
configure terminal
tacacs-server host 209.165.201.20 shared-secret test1
key 0
admin-priv 14
oper-priv 9
commit
In this configuration, privilege level 14 is assigned to the administrator role, and privilege level 9 is assigned to the
operator role. This means a user with privilge level 14 or higher will have all admin privileges when the user logs into the
system, and a user with privilege level 9 or higher will have all privileges of an operator at the time of login.
Starting from NFVIS 3.9.2 release, TACACS+ secret encryption is supported. You can only configure either secret key or encrypted
secret key at a given time. Encrypted secret key can contain special characters but secret key cannot. For NFVIS 3.12.1 release,
the following pattern is supported for encryped-shared-key: [-_a-zA-Z0-9./\\<>%!*$€#{}()+].
To configure encrypted TACACS+ key:
configure terminal
tacacs-server host 209.165.201.20 encrypted-shared-secret test1
key 0
admin-priv 14
oper-priv 9
commit
Verifying the TACAC+ configuration
Use the show running-config tacacs-server command to verify the configuration if encrypted TACACS+ key is configured:
nfvis# show running-config tacacs-server
tacacs-server host 209.165.201.20
encrypted-shared-secret $8$mRTnL9TKZCFi1BUP7Mwbm3JVIo4Z7QvJ
admin-priv 15
oper-priv 11
!
TACACS+ APIs and Commands
TACACS+ APIs
|
TACACS+ Commands
|
-
/api/config/security_servers/tacacs-server
-
/api/config/security_servers/tacacs-server?deep
-
/api/config/security_servers/tacacs-server
/host/<ip-address/domain-name>
|
-
tacacs-server host
-
key
-
admin-priv
-
oper-priv
|