The nexus seems to asks for pap authentication. I have no clue why, but adding a simple "pap = des -hash-" to your tac_plus makes it work. (doesn't seem to be necessary if you are setting a default authentication) Tacacs on Nexus is different. However, you can still continue to use tacacs the way you always have. Example configuration is as such:

tacacs-server key -key-
tacacs-server host -host-
aaa group server tacacs+ private
    server -host, yes again-
    use-vrf management
    source-interface mgmt0
aaa authentication login default group private
aaa authorization config-commands default group private
aaa authorization commands default group private
aaa accounting default group private


Many of you may be wondering why I did not add a "local" on the end of the aaa authorization commands. In short: It wouldn't let me - Cisco says it's a bug. Hence, till that is fixed, I recommend you use roles instead of authorization or you'll be locked out when the tacacs server is down. To enable roles, simple take out the two authorization lines above. You can read more on roles than I have to time explain on cisco's website, and you can even create your own. You can even create users that can only operate inside of their own vdc. However, for my examples, we'll just focus on how to use tac_plus and do\_auth.

Nexus and Cisco just don't play well together. Or, rather the Nexus plays OK, but the Cisco gets confused when it gets a Nexus role. Without do\_auth, you are forced to do things like run two separate tac_plus servers. However, with do\_auth, you can run a single server. For instance, consider the following snippet:

    service = exec {
        priv-lvl = 15
        shell:roles="\"network-admin\""
        idletime = 3
        timeout = 15
    }


The roles will confuse your switches, and you'll end up having to use enable passwords. However, add do\_auth as an after-authentication script, and do\_auth will strip the shell:roles from the Cisco. Hence, it works like it should.

I've improved the add/replacement of tac_pairs. For example:

av_pairs =
    priv-lvl=1
    shell:roles="network-operator"


Add this to a do\_auth group, and you've created a safe little read_only group to give helpdesk operators. More information is available on key replacement – do\_auth.py | less.

In short, you need do\_auth to make roles work correctly with other Cisco gear. But, this is NOT to imply a shortcoming of tac\_plus - this kluge in do\_auth was written to fix vendor problems, NOT tac_plus problems.

Of course, these changes required changes to do\_auth.

v1.91 http://pastie.org/3284098