Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
282
Views
0
Helpful
0
Replies

N7K Authorization with IBM AIX Tacacs+

MOON-SEOK Kim
Cisco Employee
Cisco Employee

‎08-26-2014 12:53 AM - edited ‎03-10-2019 09:58 PM

Hi Experts

Our cust tried to configure AAA between N7K and AIX Tacacs+ server.

Authentication worked well with the server and they added a authorization configuration for controlling user authorization.

However they couldn't get a access user role configured on Tacacs+ server after that they could access role as a vdc-operator.

Could you give me an any idea and guide for this issue?

I paste customer's AAA configuration and AIX Tacacs+ configuration value.

1. N7K AAA configuration

 version 6.2(8a)
aaa authentication login default group Tacacs+ 
aaa authorization ssh-publickey default local 
aaa authorization ssh-certificate default group Tacacs+
aaa authorization config-commands default group Tacacs+
aaa authorization commands default group Tacacs+
aaa authorization config-commands console local 
aaa authorization commands console local 
aaa accounting default local 
aaa user default-role 
aaa authentication login default fallback error local 
aaa authentication login console fallback error local 
no aaa authentication login invalid-username-log 
no aaa authentication login error-enable 
no aaa authentication login mschap enable 
no aaa authentication login mschapv2 enable 
no aaa authentication login chap enable 
no aaa authentication login ascii-authentication 
no radius-server directed-request 
tacacs-server directed-request 


feature tacacs+

no ip tacacs source-interface
tacacs-server test username test password test idle-time 0
tacacs-server host x.x.x.x key 7 "yyyy"
tacacs-server timeout 5
tacacs-server deadtime 0
aaa group server tacacs+ Tacacs+ 
    server x.x.x.x

 

2. Tacacs+ configuration

accounting file = /NWLOG/tac.log
default authentication = file /etc/passwd

# Enable password setup for everyone:
user = $enable$ {
        login = des KtLDYZ5117aDQ
#       login = des RWczqsztF.lek
        }

key = cisco

# repeat as necessary for each user
user = netadmin {
   default service = permit
   login = file /etc/passwd
   cmd = write  {
        permit .*
    }
   cmd = configure {
       permit .*
   }
}

user = akula2 {
   default service = permit
   cmd = write { permit terminal }
   cmd = show { permit .* }
   cmd = clear { permit counters
                 permit accounting
                 deny .* }
   cmd = configure { deny .* }
   cmd = debug { deny .* }
   cmd = reload { deny .* }
   service = junos-exec { deny-commands = "edit|configure|set|request|test|restart|shutdown" }

 

Thanks

mokim

 

 

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents