TACACS
The nv unset commands remove the configuration you set with the equivalent nv set commands. This guide only describes an nv unset command if it differs from the nv set command.
nv set system aaa tacacs accounting enable
Turns TACACS+ accounting on or off.
TACACS+ accounting uses the audisp module, with an additional plugin for auditd and audisp. The plugin maps the auid in the accounting record to a TACACS login, which it bases on the auid and sessionid.
Version History
Introduced in Cumulus Linux 5.4.0 (beta)
Example
cumulus@switch:~$ nv set system aaa tacacs accounting enable on
nv set system aaa tacacs accounting send-records
Configures Cumulus Linux to send accounting records to all servers (all) or to the server that is first to respond (first-response). By default, Cumulus Linux sends accounting records to all servers.
Version History
Introduced in Cumulus Linux 5.4.0 (beta)
Example
cumulus@switch:~$ nv set system aaa tacacs accounting send-records first-response
nv set system aaa tacacs authentication mode
Configures the TACACS+ authentication mode. You can specify pap to send clear text between the user and the server, chap to establish a PPP connection between the user and the server, or login. The default is pap.
Version History
Introduced in Cumulus Linux 5.4.0 (beta)
Example
cumulus@switch:~$ nv set system aaa tacacs authentication mode chap
nv set system aaa authentication-order <priority-id>
Configures the authentication order so that either TACACS+ or local authentication has priority (the lower number has priority). You can specify a value of tacacs or local.
Cumulus Linux 5.12 and later does not provide this command.
Command Syntax
| Syntax | Description |
|---|---|
<user-id> |
The user account. |
Version History
Introduced in Cumulus Linux 5.4.0
Example
cumulus@switch:~$ nv set system aaa authentication-order 1 tacacs
nv set system aaa tacacs authentication per-user-homedir
Turns per user home directory on or off to create a separate home directory for each TACACS+ user when the TACACS+ user first logs in. The default setting is off.
Version History
Introduced in Cumulus Linux 5.4.0 (beta)
Example
cumulus@switch:~$ nv set system aaa tacacs authentication per-user-homedir on
nv set system aaa tacacs debug-level
Configures the debugging level for troubleshooting:
- 0 disables debugging.
- 1 enables debugging and sends log messages to syslog.
- 2 enables debugging and sends some additional log messages to syslog.
Version History
Introduced in Cumulus Linux 5.4.0
Example
cumulus@switch:~$ nv set system aaa tacacs debug-level 2
nv set system aaa tacacs enable
Turns TACACS+ on or off.
Cumulus Linux 5.12 and later does not provide this command.
Version History
Introduced in Cumulus Linux 5.4.0 (beta)
Example
cumulus@switch:~$ nv set system aaa tacacs enable on
nv set system aaa tacacs exclude-user
Configures TACACS to exclude users from going to the TACACS+ server for authentication.
nv set system aaa tacacs exclude-user username <value>
Configures TACACS to exclude the specified user from going to the TACACS+ server for authentication.
Command Syntax
| Syntax | Description |
|---|---|
value> |
The name of the user account you want to exclude. |
Version History
Introduced in Cumulus Linux 5.4.0 (beta)
Example
cumulus@switch:~$ nv set system aaa tacacs exclude-user user1
nv set system aaa tacacs server <priority-id>
Configures the TACACS server priority number. You must set a priority even if you only specify one server. You can specify a value between 1 and 8.
Cumulus Linux 5.12 and later does not provide this command; Use nv set system aaa tacacs server <server-id> priority <priority>.
Command Syntax
| Syntax | Description |
|---|---|
<priority-id> |
The TACACS server priority number. NVUE commands require you to specify the priority for each TACACS+ server. |
Version History
Introduced in Cumulus Linux 5.4.0 (beta)
Example
cumulus@switch:~$ nv set system aaa tacacs server 5
nv set system aaa tacacs server <priority-id> host
Configures the IPv4 address or hostname of the TACACS+ server. You must configure at least one TACACS+ server.
Cumulus Linux 5.12 and later does not provide this command; Use nv set system aaa tacacs server <server-id> priority <priority>.
Command Syntax
| Syntax | Description |
|---|---|
<priority-id> |
The TACACS server priority number. NVUE commands require you to specify the priority for each TACACS+ server. |
Version History
Introduced in Cumulus Linux 5.4.0 (beta)
Example
cumulus@switch:~$ nv set system aaa tacacs server 5 host 192.168.0.30
nv set system aaa tacacs server <priority-id> port
Configures the TACACS+ server port to use for communication between the TACACS+ server and client. You can set a value between 0 and 65535. The default port is 49.
Cumulus Linux 5.12 and later does not provide this command; Use nv set system aaa tacacs server <server-id> port <port-id>.
Command Syntax
| Syntax | Description |
|---|---|
<priority-id> |
The TACACS server priority number. NVUE commands require you to specify the priority for each TACACS+ server. |
Version History
Introduced in Cumulus Linux 5.4.0 (beta)
Example
cumulus@switch:~$ nv set system aaa tacacs server 5 port 32
nv set system aaa tacacs server <priority-id> prefer-ip-version 6
Configures the TACACS server to use IPv6.
Cumulus Linux 5.12 and later does not provide this command; Use nv set system aaa tacacs server <server-id> prefer-ip-version 6.
Command Syntax
| Syntax | Description |
|---|---|
<priority-id> |
The TACACS server priority number. NVUE commands require you to specify the priority for each TACACS+ server. |
Version History
Introduced in Cumulus Linux 5.5.0
Example
cumulus@switch:~$ nv set system aaa tacacs server 5 prefer-ip-version 6
nv set system aaa tacacs server <priority-id> secret <value>
Configures the shared secret between the TACACS server and client. The TACACS client on the switch and the TACACS server must have the same shared secret key.
Cumulus Linux 5.12 and later does not provide this command; Use nv set system aaa tacacs server <server-id> secret <secret>.
Command Syntax
| Syntax | Description |
|---|---|
<priority-id> |
The TACACS server priority number. NVUE commands require you to specify the priority for each TACACS+ server. |
Version History
Introduced in Cumulus Linux 5.4.0 (beta)
Example
cumulus@switch:~$ nv set system aaa tacacs server 5 secret mytacacskey
nv set system aaa tacacs server <server-id> port <port-id>
Configures the port number you want to use for communication between the TACACS+ server and client. By default, Cumulus Linux uses IP port 49.
Cumulus Linux 5.11 and earlier uses nv set system aaa tacacs server <priority-id> port <port-id>.
Command Syntax
| Syntax | Description |
|---|---|
<server-id> |
The TACACS server IP address or hostname. |
<port-id> |
The port number. |
Version History
Introduced in Cumulus Linux 5.12.0
Example
cumulus@switch:~$ nv set system aaa tacacs server 192.168.0.30 port 32
nv set system aaa tacacs server <server-id> priority <priority-id>
Configures the TACACS server priority number. You must set a priority even if you only specify one server.
Cumulus Linux 5.11 and earlier uses nv set system aaa tacacs server <priority-id> host <server-id>.
Command Syntax
| Syntax | Description |
|---|---|
<server-id> |
The TACACS server IP address or hostname. |
<priority-id> |
The TACACS server priority number. NVUE commands require you to specify the priority for each TACACS+ server. |
Version History
Introduced in Cumulus Linux 5.12.0
Example
cumulus@switch:~$ nv set system aaa tacacs server 192.168.0.30 priority 5
nv set system aaa tacacs server <server-id> secret \secret-key>
Configures the TACACS server secret key shared between the TACACS+ server and client.
Cumulus Linux 5.11 and earlier uses nv set system aaa tacacs server <priority> secret <secret-key>.
Command Syntax
| Syntax | Description |
|---|---|
<server-id> |
The TACACS server IP address or hostname. |
<secret-key> |
The TACACS server secret key. |
Version History
Introduced in Cumulus Linux 5.12.0
Example
cumulus@switch:~$ nv set system aaa tacacs server 192.168.0.30 secret abcdefghijklmnopqrstuvwxyz
nv set system aaa tacacs server <server-id> prefer-ip-version 6
Configures the TACACS server to use IPv6.
Cumulus Linux 5.11 and earlier uses nv set system aaa tacacs server <priority-id> prefer-ip-version 6.
Command Syntax
| Syntax | Description |
|---|---|
<server-id> |
The TACACS server IP address or hostname. |
Version History
Introduced in Cumulus Linux 5.12.0
Example
cumulus@switch:~$ nv set system aaa tacacs server SERVER1 prefer-ip-version 6
nv set system aaa tacacs source-ip <ipv4>
Configures the source IP address to use when communicating with the TACACS+ server so that the server can identify the client switch. You must specify an IPv4 address, which must be valid for the interface you use. This source IP address is typically the loopback address on the switch.
Command Syntax
| Syntax | Description |
|---|---|
ipv4> |
The IPv4 address. |
Version History
Introduced in Cumulus Linux 5.4.0 (beta)
Example
cumulus@switch:~$ nv set system aaa tacacs source-ip 10.10.10.1
nv set system aaa tacacs timeout
Configures the TACACS timeout value, which is the number of seconds to wait for a response from the TACACS+ server before trying the next TACACS+ server. You can specify a value between 0 and 60.
Version History
Introduced in Cumulus Linux 5.4.0 (beta)
Example
cumulus@switch:~$ nv set system aaa tacacs timeout 10
nv set system aaa tacacs vrf <vrf-name>
Configures the VRF you want to use to communicate with the TACACS+ server. This is typically the management VRF (mgmt).
Command Syntax
| Syntax | Description |
|---|---|
vrf-name> |
The VRF name. |
Version History
Introduced in Cumulus Linux 5.4.0 (beta)
Example
cumulus@switch:~$ nv set system aaa tacacs vrf mgmt