10-12-2017 03:14 PM - edited 02-21-2020 10:36 AM
Hi guys,
I have a Cisco ACS configured with tacacs authentication for all network devices.
The TACACS authentication is working fine for all catalyst switches (authentication and permissions). But for my nexus 9k, the permissions aren’t working!
I can authenticate normally with any user, but when I authenticate users with restricted access that are not allowed to type CONF T or Delete commands for example, the nexus just ignores the rules configured on my ACS and let the users type any command.
I have this problem only with Nexus 9k!
Does anyone know what is causing this ?
Thank you
10-12-2017 06:06 PM
can you share your ACS TACACS Command Set and Shell Profile that you return to the Nexus for the situation you described?
On the Nexus you need to specify the authorization too
aaa authentication login default group tacacs-login
aaa authentication login console group tacacs-login
aaa authorization config-commands default group tacacs-login local
aaa authorization commands default group tacacs-login local
aaa accounting default group tacacs-login
10-12-2017 09:28 PM
Hi Arne,
Thank you for your reply.
Here's the config:
tacacs-server key 7 "MYKEY"
ip tacacs source-interface Vlan1
tacacs-server host 10.21.18.10 key 7 "MYKEY"
aaa group server radius radius
aaa group server tacacs+ ACS
server 10.21.18.10
aaa authentication login default group ACS
aaa authentication login console group ACS
aaa accounting default group ACS
aaa authentication login error-enable
aaa authentication login default group ACS
aaa authentication login console group ACS
aaa authorization ssh-publickey default local
aaa authorization ssh-certificate default local
aaa authorization config-commands default local
aaa authorization commands default local
aaa authorization config-commands console local
aaa authorization commands console local
aaa accounting default group ACS
aaa user default-role
aaa authentication login default fallback error local
aaa authentication login console fallback error local
no aaa authentication login invalid-username-log
aaa authentication login error-enable
no aaa authentication login mschap enable
no aaa authentication login mschapv2 enable
no aaa authentication login chap enable
no aaa authentication login ascii-authentication
I don't have access to the ACS right now, I'll post the ACS config later.
Thank you.
10-12-2017 06:08 PM
10-12-2017 09:35 PM
Hi Francesco,
Thank you for your reply.
I don't have this user locally configured on my nexus 9k.
Here's the N9k config:
tacacs-server key 7 "MYKEY"
ip tacacs source-interface Vlan1
tacacs-server host 10.21.18.10 key 7 "MYKEY"
aaa group server radius radius
aaa group server tacacs+ ACS
server 10.21.18.10
aaa authentication login default group ACS
aaa authentication login console group ACS
aaa accounting default group ACS
aaa authentication login error-enable
aaa authentication login default group ACS
aaa authentication login console group ACS
aaa authorization ssh-publickey default local
aaa authorization ssh-certificate default local
aaa authorization config-commands default local
aaa authorization commands default local
aaa authorization config-commands console local
aaa authorization commands console local
aaa accounting default group ACS
aaa user default-role
aaa authentication login default fallback error local
aaa authentication login console fallback error local
no aaa authentication login invalid-username-log
aaa authentication login error-enable
no aaa authentication login mschap enable
no aaa authentication login mschapv2 enable
no aaa authentication login chap enable
no aaa authentication login ascii-authentication
I don't have access to the ACS right now, I'll post the configs and logs later.
Thank you.
10-13-2017 09:45 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide