Hi Experts
Our cust tried to configure AAA between N7K and AIX Tacacs+ server.
Authentication worked well with the server and they added a authorization configuration for controlling user authorization.
However they couldn't get a access user role configured on Tacacs+ server after that they could access role as a vdc-operator.
Could you give me an any idea and guide for this issue?
I paste customer's AAA configuration and AIX Tacacs+ configuration value.
1. N7K AAA configuration
version 6.2(8a)
aaa authentication login default group Tacacs+
aaa authorization ssh-publickey default local
aaa authorization ssh-certificate default group Tacacs+
aaa authorization config-commands default group Tacacs+
aaa authorization commands default group Tacacs+
aaa authorization config-commands console local
aaa authorization commands console local
aaa accounting default local
aaa user default-role
aaa authentication login default fallback error local
aaa authentication login console fallback error local
no aaa authentication login invalid-username-log
no aaa authentication login error-enable
no aaa authentication login mschap enable
no aaa authentication login mschapv2 enable
no aaa authentication login chap enable
no aaa authentication login ascii-authentication
no radius-server directed-request
tacacs-server directed-request
feature tacacs+
no ip tacacs source-interface
tacacs-server test username test password test idle-time 0
tacacs-server host x.x.x.x key 7 "yyyy"
tacacs-server timeout 5
tacacs-server deadtime 0
aaa group server tacacs+ Tacacs+
server x.x.x.x
2. Tacacs+ configuration
accounting file = /NWLOG/tac.log
default authentication = file /etc/passwd
# Enable password setup for everyone:
user = $enable$ {
login = des KtLDYZ5117aDQ
# login = des RWczqsztF.lek
}
key = cisco
# repeat as necessary for each user
user = netadmin {
default service = permit
login = file /etc/passwd
cmd = write {
permit .*
}
cmd = configure {
permit .*
}
}
user = akula2 {
default service = permit
cmd = write { permit terminal }
cmd = show { permit .* }
cmd = clear { permit counters
permit accounting
deny .* }
cmd = configure { deny .* }
cmd = debug { deny .* }
cmd = reload { deny .* }
service = junos-exec { deny-commands = "edit|configure|set|request|test|restart|shutdown" }
Thanks
mokim