Nexus, command authorization using TACACS.

Answered Question
Nov 6th, 2011

Hello.

Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.

Thanks.

Regards.

Andrea

I have this problem too.
0 votes
Correct Answer by robdowson about 2 years 5 months ago

Hi Andrea,

We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:

username admin password role network-admin ; local admin user

feature tacacs+ ; enable the tacacs feature

tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
    server ;define tacacs server IP
    use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
    source-interface mgmt0 ; ...and send them from the mgmt interface

aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs  ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs

Hope that works for you!

(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)

Rob...

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Correct Answer
robdowson Mon, 11/14/2011 - 02:10

Hi Andrea,

We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:

username admin password role network-admin ; local admin user

feature tacacs+ ; enable the tacacs feature

tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
    server ;define tacacs server IP
    use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
    source-interface mgmt0 ; ...and send them from the mgmt interface

aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs  ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local  ; use tacacs for config command authorization
aaa authorization commands default group tacacs local  ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs

Hope that works for you!

(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)

Rob...

andrea.meconi@c... Tue, 11/15/2011 - 02:28

Thanks Rob.

We are receiving this authorization error

    Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)


There is some special setting on ACS?

Regards.

Andrea

robdowson Tue, 11/15/2011 - 03:43

Hi Andrea,

Hmm - odd. Not sure then - I don't believe we did anything special in our ACS to allow this to work. It was just as simple as adding the network devices - and putting them in a group. But our old ACS was very simple - essentially just one big admin group which assigned everyone full level15 access to every device - so may be worth looking at your groups and permissions etc.

Sorry I can't be any more help!

Thanks,

Rob...

akis.costa Thu, 03/29/2012 - 15:28

Can you please let me know what you did to fix your problem..I'm using the exact config and have the same issue...I will really appreciate it if you lem me know what you did...

thanx

andrea.meconi@c... Fri, 03/30/2012 - 00:46

Hello.

Using Cisco Secure ACS 4.2, we define a command set and associate it to the group.

Hope this helps.

Regards.

Andrea

andrea.meconi@c... Tue, 01/29/2013 - 03:25

Hi.

I'll work on this next month.

I believe I can create a command set under Policy Elements and associate it to a group.

Regards.

Andrea

Actions

Login or Register to take actions

This Discussion

Posted November 6, 2011 at 9:45 AM
Stats:
Replies:8 Avg. Rating:5
Views:3289 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard