Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Cisco Employee

N7K Authorization with IBM AIX Tacacs+

Hi Experts

Our cust tried to configure AAA between N7K and AIX Tacacs+ server.

Authentication worked well with the server and they added a authorization configuration for controlling user authorization.

However they couldn't get a access user role configured on Tacacs+ server after that they could access role as a vdc-operator.

Could you give me an any idea and guide for this issue?

I paste customer's AAA configuration and AIX Tacacs+ configuration value.

1. N7K AAA configuration

 version 6.2(8a)
aaa authentication login default group Tacacs+ 
aaa authorization ssh-publickey default local 
aaa authorization ssh-certificate default group Tacacs+
aaa authorization config-commands default group Tacacs+
aaa authorization commands default group Tacacs+
aaa authorization config-commands console local 
aaa authorization commands console local 
aaa accounting default local 
aaa user default-role 
aaa authentication login default fallback error local 
aaa authentication login console fallback error local 
no aaa authentication login invalid-username-log 
no aaa authentication login error-enable 
no aaa authentication login mschap enable 
no aaa authentication login mschapv2 enable 
no aaa authentication login chap enable 
no aaa authentication login ascii-authentication 
no radius-server directed-request 
tacacs-server directed-request 

feature tacacs+

no ip tacacs source-interface
tacacs-server test username test password test idle-time 0
tacacs-server host x.x.x.x key 7 "yyyy"
tacacs-server timeout 5
tacacs-server deadtime 0
aaa group server tacacs+ Tacacs+ 
    server x.x.x.x


2. Tacacs+ configuration

accounting file = /NWLOG/tac.log
default authentication = file /etc/passwd

# Enable password setup for everyone:
user = $enable$ {
        login = des KtLDYZ5117aDQ
#       login = des RWczqsztF.lek

key = cisco

# repeat as necessary for each user
user = netadmin {
   default service = permit
   login = file /etc/passwd
   cmd = write  {
        permit .*
   cmd = configure {
       permit .*

user = akula2 {
   default service = permit
   cmd = write { permit terminal }
   cmd = show { permit .* }
   cmd = clear { permit counters
                 permit accounting
                 deny .* }
   cmd = configure { deny .* }
   cmd = debug { deny .* }
   cmd = reload { deny .* }
   service = junos-exec { deny-commands = "edit|configure|set|request|test|restart|shutdown" }