You can override the global preshared key assignment by using the key option when configuring an individual
TACACS+ server.
TACACS+ Server Monitoring
An unresponsive TACACS+ server can delay the processing of AAA requests. A Cisco Nexus device can
periodically monitor an TACACS+ server to check whether it is responding (or alive) to save time in processing
AAA requests. The Cisco Nexus device marks unresponsive TACACS+ servers as dead and does not send
AAA requests to any dead TACACS+ servers. The Cisco Nexus device periodically monitors dead TACACS+
servers and brings them to the alive state once they are responding. This process verifies that a TACACS+
server is in a working state before real AAA requests are sent to the server. Whenever an TACACS+ server
changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the
Cisco Nexus device displays an error message that a failure is taking place before it can impact performance.
The following figure shows the different TACACS+ server states:
Figure 3: TACACS+ Server States
The monitoring interval for alive servers and dead servers are different and can be configured by the user.
The TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+
server.
Note
Prerequisites for TACACS+
TACACS+ has the following prerequisites:
•
You must obtain the IPv4 or IPv6 addresses or hostnames for the TACACS+ servers.
•
You must obtain the preshared keys from the TACACS+ servers, if any.
•
Ensure that the Cisco Nexus device is configured as a TACACS+ client of the AAA servers.
Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x
47
Configuring TACACS+
TACACS+ Server Monitoring
To Next Page
Loading...
