Configuring and Querying TACACS+ Information
Enabling TACACS+
Enabling TACACS+
POST http://<mgmt0_IP>/api/mo/sys/fm.json
{
"fmEntity": {
"children": [
{
"fmTacacsplus": {
"attributes": {
"adminSt": "enabled"
}}}]}}
{
imdata:[]
}
<System>
<fm-items>
<tacacsplus-items>
<adminSt>enabled</adminSt>
</tacacsplus-items>
</fm-items>
</System>
This example enables the TACACS+ feature.
Note: This example was added in Release 7.0(3)I7(2).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
feature tacacs+
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Disabling TACACS+
Disabling TACACS+
POST http://<mgmt0_IP>/api/mo/sys.json
{
"fmEntity": {
"children": [
{
"fmTacacsplus": {
"attributes": {
"adminSt": "disabled"
}}}]}}
{
imdata:[]
}
<System>
<fm-items>
<tacacsplus-items>
<adminSt>disabled</adminSt>
</tacacsplus-items>
</fm-items>
</System>
This example enables the TACACS+ feature.
Note: This example was added in Release 7.0(3)I7(2).
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
no feature tacacs+
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Setting TACACS+ Configuration Data
Setting TACACS+ Configuration Data
POST http://<IP_Address>/api/mo/sys/userext.json
{
"aaaUserEp": {
"children": [
{
"aaaTacacsPlusEp": {
"attributes": {
"deadtime": "10",
"key": "fewhg",
"keyEnc": "7",
"timeout": "20"
}}}]}}
{
imdata": []
}
<System>
<userext-items>
<tacacsext-items>
<deadtime>10</deadtime>
<key>fewhg</key>
<keyEnc>7</keyEnc>
<timeout>20</timeout>
</tacacsext-items>
</userext-items>
</System>
The aaaUser object contains an aaaTacacsPlusEp object that contains general TACACS+ information. By posting data to the tacacsext.json object, you can set this information.
CLI Commands
The CLI commands and options listed below are the equivalent to the payload example displayed in the pane on the right.
Posting this data is equivalent to issuing several tacacs-server commands, for example
tacacs-server key 7 fewhgtacacs-server deadtime 10tacacs-server timeout 20
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Configuring the TACACS+ Global Dead-Time Interval
Configuring the TACACS+ Global Dead-Time Interval
POST http://<IP_Address>/api/mo/sys/userext.json
{
"aaaUserEp": {
"children": [
{
"aaaTacacsPlusEp": {
"attributes": {
"deadtime": "15"
}}}]}}
{
imdata": []
}
<System>
<userext-items>
<tacacsext-items>
<deadtime>15</deadtime>
</tacacsext-items>
</userext-items>
</System>
Specifies the number of minutes before the Cisco NX-OS device checks a TACACS+ server that was previously unresponsive. The default value is 0 minutes, and the valid range is from 0 to 1440 minutes.
CLI Commands
The CLI command below is the equivalent of the payload example displayed in the pane on the right.
tacacs-server deadtime 15
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Querying TACACS+ Configuration Data
Querying TACACS+ Configuration Data
GET http://<IP_Address>/api/node/mo/sys/userext/tacacsext.json
{
"totalCount": "1",
"imdata": [
{
"aaaTacacsPlusEp": {
"attributes": {
"childAction": "",
"deadtime": "10",
"descr": "",
"directedReq": "no",
"dn": "sys/userext/tacacsext",
"lcOwn": "local",
"modTs": "2015-02-02T12:56:13.788+00:00",
"monPolDn": "uni/fabric/monfab-default",
"name": "",
"ownerKey": "",
"ownerTag": "",
"retries": "1",
"srcIf": "unspecified",
"status": "",
"timeout": "20",
"uid": "0"
}}}]}
The aaaUser object contains an aaaTacacsPlusEp object that contains general TACACS+ information. By querying the tacacsext.json object, you can obtain this information.
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Setting TACACS+ Provider Information
Setting TACACS+ Provider Information
POST http://<IP_Address>/api/mo/sys/userext/tacacsext.json
{
"aaaTacacsPlusEp": {
"children": [
{
"aaaTacacsPlusProvider": {
"attributes": {
"key": "test",
"keyEnc": "7",
"name": "tns",
"port": "50"
}}}]}}
{
imdata": []
}
<System>
<userext-items>
<tacacsext-items>
<tacacsplusprovider-items>
<TacacsPlusProvider-list>
<name>tns</name>
<key>test</key>
<keyEnc>7</keyEnc>
<port>50</port>
</TacacsPlusProvider-list>
</tacacsplusprovider-items>
</tacacsext-items>
</userext-items>
</System>
Specifies a secret key for a specific TACACS+ server. You can specify that the key-value is in clear text format (0), is type-6 encrypted (6), or is type-7 encrypted (7). The Cisco NX-OS software encrypts a clear text key before saving it to the running configuration. The default format is clear text. The maximum length is 63 characters.
This secret key is used instead of the global secret key.
This example also specifies the TCP port to use for TACACS+ messages to the server. The default TCP port is 49. The range is from 1 to 65535.
The aaaUser object contains a tacacsplusprovider-tns object that contains TACACS+ provider configuration data. Using an POST method, you can set the TACACS+ provider settings for a switch.
CLI Commands
The CLI command below is the equivalent of the payload example displayed in the pane on the right.
tacacs-server host tns key 7 test port 50
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Deleting TACACS+ Provider Information
Deleting TACACS+ Provider Information
HTTP DELETE http://IP_Address/api/node/mo/sys/userext/tacacsext/tacacsplusprovider-tns.json
{
imdata": []
}
Deletes TACACS+ provider information.
The aaaUser object contains a tacacsplusprovider-tns object that contains TACACS+ provider configuration data. Using an HTTP DELETE call, you can delete the TACACS+ provider settings for a switch.
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Querying TACACS+ Provider Information
Querying TACACS+ Provider Information
GET http://<IP_Address>/api/node/mo/sys/userext/tacacsext/tacacsplusprovider-tns.json
{
"totalCount": "1",
"imdata": [
{
"aaaTacacsPlusProvider": {
"attributes": {
"authProtocol": "pap",
"childAction": "",
"descr": "",
"dn": "sys/userext/tacacsext/tacacsplusprovider-tns",
"epgDn": "",
"keySet": "no",
"lcOwn": "local",
"modTs": "2015-07-01T21:13:04.711+00:00",
"monPolDn": "uni/fabric/monfab-default",
"monitorServer": "disabled",
"monitoringUser": "test",
"name": "tns",
"operState": "inoperable",
"ownerKey": "",
"ownerTag": "",
"port": "49",
"retries": "inherit-from-global",
"snmpIndex": "0",
"status": "",
"timeout": "0",
"uid": "0",
"vrfName": ""
}}}]}
The aaaUser object contains a tacacsplusprovider-tns object that contains TACACS+ provider configuration data. Using an HTTP GET method, you can return the TACACS+ provider settings for a switch.
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Setting TACACS+ Provider Group Information
Setting TACACS+ Provider Group Information
POST http://<IP_address>/api/mo/sys/userext/tacacsext.json
{
"aaaTacacsPlusEp": {
"children": [
{
"aaaTacacsPlusProviderGroup": {
"attributes": {
"name": "tac1"
}}}]}}
{
imdata": []
}
<System>
<userext-items>
<tacacsext-items>
<tacacsplusprovidergroup-items>
<TacacsPlusProviderGroup-list>
<name>tac1</name>
</TacacsPlusProviderGroup-list>
</tacacsplusprovidergroup-items>
</tacacsext-items>
</userext-items>
</System>
Creates a TACACS+ server group and enters the TACACS+ server group configuration mode for that group.
The /sys/userext object contains a tacacsplusprovidergroup-tac1 object that contains TACACS+ Provider group configuration. Using an POST request, you can retrieve the configuration information for this object.
CLI Commands
The CLI command below is the equivalent of the payload example displayed in the pane on the right.
aaa group server tacacs+ tac1
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Deleting TACACS+ Provider Group Information
Deleting TACACS+ Provider Group Information
HTTP DELETE http://<IP_Address>/api/node/mo/sys/userext/tacacsext/tacacsplusprovidergroup-tac1.json
Deletes TACACS+ provider group information.
The /sys/userext object contains a tacacsplusprovidergroup-tac1 object that contains TACACS+ Provider group configuration. Using an HTTP DELETE request, you can delete the configuration information for this object.
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Querying TACACS+ Provider Group Information
Querying TACACS+ Provider Group Information
GET http://<IP_address>/api/mo/sys/userext/tacacsext/tacacsplusprovidergroup-TAC1.json
{
"totalCount": "1",
"imdata": [
{
"aaaTacacsPlusProviderGroup": {
"attributes": {
"childAction": "",
"deadtime": "0",
"descr": "",
"dn": "sys/userext/tacacsext/tacacsplusprovidergroup-TAC1",
"modTs": "2017-12-20T18:34:56.938+00:00",
"name": "TAC1",
"ownerKey": "",
"ownerTag": "",
"persistentOnReload": "true",
"snmpIndex": "0",
"srcIf": "unspecified",
"status": "",
"uid": "0",
"vrf": "default"
}}}]}
The /sys/userext object contains a tacacsplusprovidergroup-tac1 object that contains TACACS+ Provider group configuration. Using an HTTP GET request, you can retrieve the configuration information for this object.
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Setting TACACS+ Provider Group Reference Information
Setting TACACS+ Provider Group Reference Information
POST http://<IP_Address>/api/mo/sys/userext/tacacsext.json
{
"aaaTacacsPlusEp": {
"children": [
{
"aaaTacacsPlusProviderGroup": {
"attributes": {
"name": "tac1"
},
"children": [
{
"aaaProviderRef": {
"attributes": {
"name": "tns"
}}}]}}]}}
{
imdata": []
}
<System>
<userext-items>
<tacacsext-items>
<tacacsplusprovidergroup-items>
<TacacsPlusProviderGroup-list>
<name>tac1</name>
<providerref-items>
<ProviderRef-list>
<name>tns</name>
</ProviderRef-list>
</providerref-items>
</TacacsPlusProviderGroup-list>
</tacacsplusprovidergroup-items>
</tacacsext-items>
</userext-items>
</System>
This API configures TACACS+ Provider Group reference information.
CLI Commands
The CLI commands are equivalent to the payload examples displayed in the pane on the right. Click the DME tab in the top-left corner of the right pane to view the JSON payload. Click the YANG tab to view the XML payload.
aaa group server tacacs+ tac1server tns
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Deleting TACACS+ Provider Group Reference Information
Deleting TACACS+ Provider Group Reference Information
HTTP DELETE http://<IP_Address>/api/node/mo/sys/userext/tacacsext/tacacsplusprovidergroup-tac1/providerref-tns.json
{
imdata": []
}
This deletes TACACS+ provider group reference information.
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Querying TACACS+ Provider Group Reference Information
Getting TACACS+ Provider Group Reference Information
GET http://<IP_Address>/api/node/mo/sys/userext/tacacsext/tacacsplusprovidergroup-tac1/providerref-tns.json
{
"totalCount": "0",
"imdata": []
}
The /sys/userext object contains a tacacsplusprovidergroup-tac1 reference object that contains TACACS+ Provider group reference configuration. Using an HTTP GET request, you can retrieve the configuration information for this object.
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Setting a TACACS+ Key for All TACACS+ Servers
Setting a TACACS+ Key for All TACACS+ Servers
POST http://<IP_Address>/api/mo/sys/userext.json
{
"aaaUserEp": {
"children": [
{
"aaaTacacsPlusEp": {
"attributes": {
"key": "QsEfThUkO",
"keyEnc": "0"
}}}]}}
{
"imdata": []
}
<System>
<userext-items>
<tacacsext-items>
<key>QsEfThUkO</key>
<keyEnc>0</keyEnc>
</tacacsext-items>
</userext-items>
</System>
Specifies a TACACS+ key for all TACACS+ servers.
CLI Commands
The CLI command below is the equivalent of the payload example displayed in the pane on the right.
tacacs-server key 0 QsEfThUkO
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Setting the Timeout Interval for TACACS+ Servers
Setting the Timeout Interval for TACACS+ Servers
POST http://<IP_Address>/api/mo/sys/userext.json
{
"aaaUserEp": {
"children": [
{
"aaaTacacsPlusEp": {
"attributes": {
"timeout": "10"
}}}]}}
{
"imdata": []
}
<System>
<userext-items>
<tacacsext-items>
<timeout>10</timeout>
</tacacsext-items>
</userext-items>
</System>
Specifies the global TACACS+ server timeout period in seconds.
CLI Commands
The CLI command below is the equivalent of the payload example displayed in the pane on the right.
tacacs-server timeout 10
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html
Configuring the Global Source Interface for All TACACS+ Server Groups Configured on a Device
Configuring the Global Source Interface for All TACACS+ Server Groups Configured on a Device
POST http://<IP_Address>/api/node/mo/sys/userext.json
{
"aaaUserEp": {
"children": [
{
"aaaTacacsPlusEp": {
"attributes": {
"srcIf": "mgmt0"
}}}]}}
{
"imdata": []
}
<System>
<userext-items>
<tacacsext-items>
<srcIf>mgmt0</srcIf>
</tacacsext-items>
</userext-items>
</System>
Specifies the source interface to be used to reach the TACACS+ server.
CLI Commands
The CLI command below is the equivalent of the payload example displayed in the pane on the right.
ip tacacs source-interface mgmt 0
For other CLI options, see the Cisco Nexus 9000 Series NX-OS Command Reference: http://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-command-reference-list.html
See the NX-API DME Model Reference for detailed information about classes and attributes described in the payload: https://developer.cisco.com/site/nx-os/docs/nexus-model-reference/
For information about using the payloads, see the Cisco Nexus 9000 Series NX-OS Programmability Guide https://www.cisco.com/c/en/us/support/switches/nexus-9000-series-switches/products-programming-reference-guides-list.html