If you are looking to configure AAA on a nexus 70XX and the subnet you are going to use to contact the ACS server is in a VRF and / or the non-default VDC (VDC 2, 3, 4) then you will have to do things a little different than you might be used to.
First, make sure that the TACACS+ feature is enabled or none of the options below will be available.
Second, all AAA commands are local to each individual VDC so you will need to do this with each one.
The configuration on the ACS server will remain the same and you are also able to test from exec mode:
#test aaa server tacacs+ 10.1.1.1 vrf VRF-NAME-HERE jdoe cisco123
Now, onto the fun stuff...
You will need to define your TACACS server / keys before preceding onto the next part:
#tacacs-server host 10.1.1.1 key 0 cisco123
#tacacs-server host 10.1.1.2 key 0 cisco123
Add this line after you create your server group:
#aaa authentication login default group Tacserver_DMZ
This is where it varies slightly from what you might be used to. You need to create a “aaa server group” in order to use a different VRF.
#aaa group server tacacs+ Tacserver_DMZ
server 10.1.1.1
(You dont need to add the key as they will use the ones already stated earlier.)
server 10.1.1.2
use-vrf DMZ_TEST
source-interface Vlan10
(This is the SVI that will be used to contact the ACS Server but you can also use interfaces, loopback interfaces ect.)
You might also want to add these few commands under your VRF context also:
#vrf context DMZ_TEST
ip domain-name cisco.com
ip name-server 10.1.1.100 10.1.1.200
That should get you going in the right direction!
