ShTacas Class

Runs and parses 'show tacacs+ status'.

class ShTacas (NXCLI)

parse_specific

parse_specific (self)

ShTacasServer Class

Runs and parses 'show tacacs-server'.

class ShTacasServer (NXCLI)

Example
>>> import cisco
>>> from cisco.tacacs import *
>>> showTacacs=ShTacasServer()
>>> print "TACACS+ Configuration is ", showTacacs.servers()

parse_specific

parse_specific (self)

server

Returns the dictionary for the specified server.

server (self, srv)

Example:
>>> showTacacs=ShTacasServer()
>>> showTacacs.server('192.0.20.5')
{'available_on_port': 49}

Arguments:

  • srv: server name

servers

Returns the list of configured servers.

servers (self)

Example:
>>> showTacacs=ShTacasServer()
>>> showTacacs.servers()
['192.0.20.5']

Arguments: None

Returns: A list of configured TACACS+ servers.

Tacacs Class

class Tacacs (Feature)

Example:
>>> import cisco
>>> from cisco.tacacs import *
>>> tac = Tacacs ()

add_group

Specifies one or more remote AAA servers.

add_group (self, name, server, **args)

Example:
>>> tac = Tacacs ()
>>> tac.add_server('192.0.20.5')
>>> tac.add_group('ciscogroup1','192.0.20.5')

Arguments:

  • name: Name of the AAA server group
  • server: DNS name or IP address of the TACACS+ server

Optional Arguments:

  • deadtime: Configures the monitoring dead time. The default is 0 minutes. The range is from 1 through 1440. Note: If the dead-time interval for a TACACS+ server group is greater than zero (0), that value takes precedence over the global dead-time value

  • source_interface: ('m0') Configures a source interface to access the TACACS+ servers in the server group. You can use Ethernet interfaces, loopback interfaces, or the management interface (mgmt0). The default is the global source interface.

  • vrf: Name of the VRF to use to contact the servers in the server group.

  • no: If set to True, deletes the group

Returns: True on success

Usage Guidelines:

Use this command to specify one or more remote AAA servers to authenticate users using server groups. All members of a group must belong to the TACACS+ protocol. The servers are tried in the same order in which you configure them.

You can configure these server groups at any time but they only take effect when you apply them to an AAA service.

add_server

Adds or deletes a TACACS+ server.

add_server(self, server, **args)

Examples:
>>> tac = Tacacs()
>>> tac.add_server('192.0.20.5')
True
>>> tac.add_server('FF01::101')
True
>>> tac.add_server('192.0.20.5',no="True")  # deletes server
True

Arguments:

  • server: DNS name or IP address of the TACACS+ server

Optional Arguments:

  • port: TACACS+ server port in range of 1-65535
  • key: CiscoSecret Global TACACS+ server shared secret
  • timeout: TACACS+ server timeout period in seconds
  • no: If set to True, deletes the server

Returns: True on success

Usage Guidelines:

Use this command to add TACACS+ servers. To access a remote TACACS+ server, you must configure the IP address or the hostname for the TACACS+ server on the Cisco NX-OS device. You can configure up to 64 TACACS+ servers.

commit

Applies and distributes the TACACS+ configuration changes

commit (self)

Example:
>>> tac.commit()
True

Arguments: none

Returns: True on success

Usage Guidelines:

(Optional) Applies the TACACS+ configuration changes in the temporary database to the running configuration and distributes TACACS+ configuration to other NX-OS devices in the network that you have enabled Cisco Fabric Services (CFS) configuration distribution for the TACACS+ feature.

deadtime

Specifies a dead-time interval for the TACACS+ server group.

deadtime (self, mins, **args)

Example:
>>> tac.deadtime(120)
True

Arguments:

  • mins: Length of time in minutes to skip a nonresponsive TACACS+ server for transaction requests. The default is 0 minutes. The range is from 1 through 1440 minutes (24 hours).

Optional Arguments:

  • no: If set to True, removes the timeout

Returns: True on success

Usage Guidelines:

During the dead-time interval, the switch sends probe access-request packets to verify that the TACACS+ server is available and can receive authentication requests. The dead-time interval starts when the server does not respond to an authentication request transmission. When the server responds to a probe access-request packet, the switch retransmits the authentication request to the server.

Use of the deadtime command causes the switch to mark as dead any TACACS+ servers that fail to respond to authentication requests. Using this command prevents the wait for the request to time out before trying the next configured server. The switch skips a TACACS+ server that is marked as dead by additional requests for the duration of minutes.

directed_request

Allows specifying which TACACS+ server to send the authentication request.

directed_request (self, **args)

Example:
>>> tac.directed_request()
True

Optional Arguments:

  • no: If set to True, stops the request

Returns: True on success

Usage Guidelines:

Use this command to configure the switch to allow the user to specify which TACACS+ server to send the authentication request by enabling the directed-request option. By default, a Cisco NX-OS device forwards an authentication request based on the default AAA authentication method. If you enable this option, the user can log in as username@vrfname:hostname, where vrfname is the VRF to use and hostname is the name of a configured TACACS+ server.

distribute

Starts distribution of the TACACS+ configuration changes in the CFS region.

distribute (self, **args)

Example:
>>> tac.distribute()
True

Arguments:

  • no: Set to True to stop distribution

Returns: True on success

Usage Guidelines:

Use this command to distribute TACACS+ configuration to other NX-OS devices in the network for which you have enabled Cisco Fabric Services (CFS) configuration distribution for the TACACS+ feature.

server

Returns information for the specified server.

server (self, s)

Arguments:

  • s: server name

Returns: information for the specified server

servers

Returns the list of configured TACACS+ servers.

servers (self)

Arguments: none

Returns: A list of configured TACACS+ servers

set_key

Specifies a TACACS+ key for all TACACS+ servers.

set_key (self, key, **args)

Example:
>>> from cisco.cisco_secret import *
>>> tac = Tacacs()
>>> tac.set_key(CiscoSecret('Secret',7))
True

Arguments:

  • key: Shared key. The maximum length is 63 characters.
  • no: If set to True, deletes the key

Returns: True on success

Usage Guidelines:

Use this command to specify a TACACS+ key for all TACACS+ servers. You can specify that the key-value in cisco.CiscoSecret object is in clear text (0) format or is encrypted (7). The Cisco NX-OS software encrypts a clear text key before saving it to the running configuration. The default format is clear text.

By default, no secret key is configured.

src_interface

Configures a global source interface for TACACS+ server groups.

src_interface (self, ifname, **args)

Arguments:

  • ifname: Name of the source interface

Optional Arguments:

  • no: If set to True, deletes the key

Returns: True on success

Usage Guidelines:

Use this command to configure a global source interface for TACACS+ server groups to use when accessing TACACS+ servers. To configure a different source interface for a specific TACACS+ server group, use add_group() API. By default, the Cisco NX-OS software uses any available interface.

timeout

Sets a global timeout interval for responses from all TACACS+ servers.

timeout (self, secs, **args)

Example:
>>> tac.timeout(10)
True

Arguments:

  • secs: The global timeout interval in seconds. The default timeout interval is 5 second and the range is from 1 to 60 seconds.

Optional Arguments:

  • no: If set to True, removes the timeout

Returns: True on success

Usage Guidelines:

Use this command to set a global timeout interval that the Cisco NX-OS device waits for responses from all TACACS+ servers before declaring a timeout failure. The timeout interval determines how long the Cisco NX-OS device waits for responses from TACACS+ servers before declaring a timeout failure.

test_server

Monitors the availability of TACACS+ servers by sending test packets.

test_server (self, host, **args)

Example:
>>> tac.test_server('TacServer3', user_name="User1", password="Cisco123")

Arguments:

  • host: Name of the server to test.

Optional Arguments:

  • user_name: User name to log in to the test server.
  • password: Password to log in to the test server.
  • idle_time: The interval in which the test server receives no requests before the switch sends out a test packet.

Returns:

Usage Guidelines:

Use this command to monitor the availability of TACACS+ servers. These parameters include the username and password to use for the server and an idle timer. The idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco NX-OS device sends out a test packet. You can configure this option to test servers periodically, or you can run a one-time only test.